Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-59104— Unlocked Bootloader in dormakaba access manager

EPSS 0.02% · P5
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2025-59104

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Unlocked Bootloader in dormakaba access manager
Source: NVD (National Vulnerability Database)
Vulnerability Description
With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus, the attacker gains access to the bootloader, where the kernel command line can be changed. An attacker is able to gain a root shell through this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1234
Source: NVD (National Vulnerability Database)
Vulnerability Title
Dormakaba Access Manager 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Dormakaba Access Manager是美国Dormakaba公司的一个智能硬件控制器。 Dormakaba Access Manager存在安全漏洞,该漏洞源于物理访问可修改引导加载程序内核命令行,可能导致获取root shell。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
dormakabaAccess Manager 92xx-k7 92xx-k7: <BAME 06.00 -

II. Public POCs for CVE-2025-59104

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2025-59104

登录查看更多情报信息。

Same Patch Batch · dormakaba · 2026-01-26 · 20 CVEs total

CVE-2025-59105Unencrypted Flash Storage in dormakaba access manager
CVE-2025-59091Hardcoded Legacy Accounts Allowing Control Over Access Managers in dormakaba Kaba exos 930
CVE-2025-59098Trace Functionality Leaking Sensitive Data in dormakaba access manager
CVE-2025-59090Unauthenticated SOAP API in dormakaba Kaba exos 9300
CVE-2025-59095Hard-coded Key for PIN Encryption in dormakaba Kaba exos 9300
CVE-2025-59107Static Firmware Encryption Password in dormakaba access manager
CVE-2025-59094Local Privilege Escalation in dormakaba Kaba exos 9300 System management
CVE-2025-59102Secrets Stored in Plaintext in Database in dormakaba access manager
CVE-2025-59092Unauthenticated RPC Service in dormakaba Kaba exos 9300
CVE-2025-59099Unauthenticated Path Traversal in dormakaba access manager
CVE-2025-59097Unauthenticated SOAP API in dormakaba access manager
CVE-2025-59106Web Server Running with Root Privileges in dormakaba access manager
CVE-2025-59096Weak Default Password in dormakaba Kaba exos 9300
CVE-2025-59109UART Leaking Sensitive Data in dormakaba registration unit 9002
CVE-2025-59093Insecure Password Derivation Function for Database Administrator in dormakaba Kaba exos 93
CVE-2025-59101Insufficient Session Management in dormakaba access manager
CVE-2025-59100Unauthenticated Access to the SQLite Database in dormakaba access manager
CVE-2025-59103Weak Default Passwords for SSH Access in dormakaba access manager
CVE-2025-59108Weak Default Passwords in dormakaba access manager

IV. Related Vulnerabilities

Same product: Access Manager 92xx-k7
Same vendor: dormakaba
Same weakness: CWE-1234

V. Comments for CVE-2025-59104

No comments yet

Leave a comment