CVE-2025-59106 (GCVE-0-2025-59106)
Vulnerability from cvelistv5 – Published: 2026-01-26 10:06 – Updated: 2026-01-27 18:44
VLAI
Title
Web Server Running with Root Privileges in dormakaba access manager
Summary
The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-272 - Least Privilege Violation
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/dormakaba | technical-description |
| https://r.sec-consult.com/dkaccess | third-party-advisory |
| https://www.dormakabagroup.com/en/security-advisories | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| dormakaba | Access Manager 92xx-k7 |
Affected:
92xx-k7: <BAME 06.00
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-59106",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T18:44:35.148811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T18:44:41.817Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Access Manager 92xx-k7",
"vendor": "dormakaba",
"versions": [
{
"status": "affected",
"version": "92xx-k7: \u003cBAME 06.00"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Clemens Stockenreitner, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Werner Schober, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges. \u003cbr\u003e"
}
],
"value": "The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-234",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-234: Hijacking a privileged process"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-272",
"description": "CWE-272: Least Privilege Violation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T10:06:13.702Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://r.sec-consult.com/dormakaba"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/dkaccess"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dormakabagroup.com/en/security-advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To secure the devices from unauthorized access, it is highly recommended to change the default password and update to at least firmware version BAME 06.00.x RA.\u003cbr\u003e"
}
],
"value": "To secure the devices from unauthorized access, it is highly recommended to change the default password and update to at least firmware version BAME 06.00.x RA."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Web Server Running with Root Privileges in dormakaba access manager",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-59106",
"datePublished": "2026-01-26T10:06:13.702Z",
"dateReserved": "2025-09-09T07:53:12.879Z",
"dateUpdated": "2026-01-27T18:44:41.817Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-59106",
"date": "2026-06-28",
"epss": "0.00684",
"percentile": "0.47906"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-59106\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2026-01-26T10:16:08.513\",\"lastModified\":\"2026-06-17T09:45:33.767\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.\"},{\"lang\":\"es\",\"value\":\"El binario que sirve al servidor web y que ejecuta pr\u00e1cticamente todas las acciones lanzadas desde la interfaz de usuario web se est\u00e1 ejecutando con privilegios de root. Esto va en contra del principio de m\u00ednimo privilegio. Si un atacante es capaz de ejecutar c\u00f3digo en el sistema a trav\u00e9s de otras vulnerabilidades, es posible ejecutar comandos directamente con los privilegios m\u00e1s altos.\"}],\"affected\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"affectedData\":[{\"vendor\":\"dormakaba\",\"product\":\"Access Manager 92xx-k7\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"92xx-k7: \u003cBAME 06.00\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-27T18:44:35.148811Z\",\"id\":\"CVE-2025-59106\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-272\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9200-k7_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"bame_06.00\",\"matchCriteriaId\":\"677FDE80-CB98-4CAA-BAEA-B75CD903CE15\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9200-k7:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"625A7698-8C85-443A-8234-3378335CF871\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9230-k7_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"bame_06.00\",\"matchCriteriaId\":\"88F6324C-CCC1-4B42-8BE7-5D64EC43F27D\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9230-k7:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"706730A1-C200-40FA-A7F0-153DAC88128A\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9290-k7_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"bame_06.00\",\"matchCriteriaId\":\"ECF1C26D-A592-46F3-996F-28E92C96F6BE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9290-k7:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"56E30693-0FCA-4568-A2E8-C9D3C8D4E682\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9200-k5_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"533DF243-A900-46D3-85EE-C898716A1AE6\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9200-k5:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51D3E658-5FA5-4C38-85B1-05D914AC973F\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9230-k5_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A10552E6-7CC9-43DA-9020-DA344B92D50F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9230-k5:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"926B0276-D7C3-4099-AD6D-C63B860A57F4\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:dormakabagroup:dormakaba_access_manager_9290-k5_firmware:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4F36B37E-5048-4EB2-9B0B-3A1607ABD7D5\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:dormakabagroup:dormakaba_access_manager_9290-k5:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B8FCD3D-0E03-4ACA-884C-540866A4B7B9\"}]}]}],\"references\":[{\"url\":\"https://r.sec-consult.com/dkaccess\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://r.sec-consult.com/dormakaba\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.dormakabagroup.com/en/security-advisories\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59106\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-27T18:44:35.148811Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-27T18:44:28.259Z\"}}], \"cna\": {\"title\": \"Web Server Running with Root Privileges in dormakaba access manager\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Clemens Stockenreitner, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Werner Schober, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-234\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-234: Hijacking a privileged process\"}]}], \"affected\": [{\"vendor\": \"dormakaba\", \"product\": \"Access Manager 92xx-k7\", \"versions\": [{\"status\": \"affected\", \"version\": \"92xx-k7: \u003cBAME 06.00\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"To secure the devices from unauthorized access, it is highly recommended to change the default password and update to at least firmware version BAME 06.00.x RA.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"To secure the devices from unauthorized access, it is highly recommended to change the default password and update to at least firmware version BAME 06.00.x RA.\u003cbr\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/dormakaba\", \"tags\": [\"technical-description\"]}, {\"url\": \"https://r.sec-consult.com/dkaccess\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.dormakabagroup.com/en/security-advisories\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges. \u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-272\", \"description\": \"CWE-272: Least Privilege Violation\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-01-26T10:06:13.702Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-59106\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-27T18:44:41.817Z\", \"dateReserved\": \"2025-09-09T07:53:12.879Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2026-01-26T10:06:13.702Z\", \"assignerShortName\": \"SEC-VLab\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…