CVE-2025-59106
moderate-risk
Published 2026-01-26
The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.
Do I need to act?
-
0.09% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10
High
NETWORK
/ LOW complexity
Affected Products (6)
Dormakaba Access Manager 9200-K7 Firmware
Dormakaba Access Manager 9230-K7 Firmware
Dormakaba Access Manager 9290-K7 Firmware
Dormakaba Access Manager 9200-K5 Firmware
Dormakaba Access Manager 9230-K5 Firmware
Dormakaba Access Manager 9290-K5 Firmware
Affected Vendors
References (3)
Third Party Advisory
https://r.sec-consult.com/dkaccess
Third Party Advisory
https://r.sec-consult.com/dormakaba
Vendor Advisory
https://www.dormakabagroup.com/en/security-advisories
43
/ 100
moderate-risk
Severity
30/34 · Critical
Exploitability
0/34 · Minimal
Exposure
13/34 · Low