CVE-2025-59098
📋 TL;DR
CVE-2025-59098 is an unauthenticated, unencrypted TCP socket vulnerability in dormakaba Access Manager that broadcasts sensitive debug information including card IDs and PIN entries. Attackers with network access can intercept all PINs entered on registration units. This affects organizations using dormakaba Access Manager systems.
💻 Affected Systems
- dormakaba Access Manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of physical access security through PIN harvesting, enabling unauthorized entry to secured facilities.
Likely Case
Attackers intercepting PINs and card IDs to clone credentials and gain unauthorized physical access.
If Mitigated
Limited impact if network segmentation prevents access to the vulnerable socket from untrusted networks.
🎯 Exploit Status
Exploitation requires only network access to the TCP socket and use of provided TraceClient.exe or custom TCP client.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions.
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: Yes
Instructions:
1. Consult dormakaba security advisory. 2. Download and apply the recommended patch/update. 3. Restart the Access Manager service. 4. Verify trace functionality is secured.
🔧 Temporary Workarounds
Disable Trace Socket
allDisable the trace functionality via Access Manager interface to close the vulnerable TCP socket.
Access via web interface > Configuration > Trace Settings > Disable
Network Segmentation
allRestrict network access to the Access Manager system using firewall rules.
Configure firewall to block TCP port used by trace socket (check vendor docs for port)
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Access Manager from untrusted networks.
- Monitor network traffic for connections to the trace socket and investigate anomalies.
🔍 How to Verify
Check if Vulnerable:
Attempt to connect to the trace socket via TCP (e.g., using telnet or netcat) on the Access Manager system; if connection succeeds without authentication, system is vulnerable.Check Version:
Check Access Manager version via web interface or system documentation.Verify Fix Applied:
After patching, attempt TCP connection to trace socket; it should be closed or require authentication. Verify trace functionality is disabled or secured in configuration.📡 Detection & Monitoring
Log Indicators:
- Unexpected connections to trace socket port in system logs
- Trace-related error messages indicating access attempts
Network Indicators:
- TCP connections to the trace socket port from unauthorized IPs
- Unencrypted traffic containing card IDs or PIN data
SIEM Query:
source="AccessManager" AND (event="TraceSocketConnection" OR port="[trace-port]")