CVE-2025-59101
📋 TL;DR
This vulnerability allows attackers to bypass authentication in Dormakaba Access Manager by spoofing the IP address of a previously authenticated user. The system authenticates based solely on source IP addresses after initial successful login, with no session tokens or cookies. Organizations using affected Dormakaba Access Manager products are vulnerable to unauthorized access.
💻 Affected Systems
- Dormakaba Access Manager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of physical access control systems allowing unauthorized entry to secured facilities, manipulation of access permissions, and potential physical security breaches.
Likely Case
Unauthorized access to the Access Manager web interface leading to privilege escalation, user account manipulation, and access control rule modification.
If Mitigated
Limited impact if network segmentation prevents IP spoofing and if the interface is not internet-facing.
🎯 Exploit Status
Exploitation requires IP spoofing capability but no authentication is needed once the target IP has authenticated. Attackers need to identify an authenticated IP address to spoof.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in references
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: Yes
Instructions:
1. Check Dormakaba security advisory for specific patch details. 2. Apply vendor-provided firmware/software updates. 3. Restart Access Manager services. 4. Verify authentication now uses proper session management.
🔧 Temporary Workarounds
Network Segmentation and ACLs
allRestrict access to Access Manager web interface using network access control lists and segment the network to prevent IP spoofing.
Disable IP-Based Authentication
allConfigure Access Manager to use proper session tokens or multi-factor authentication instead of IP-based authentication.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Access Manager from untrusted networks
- Deploy intrusion prevention systems with IP spoofing detection and blocking capabilities
🔍 How to Verify
Check if Vulnerable:
Test if you can access the Access Manager web interface by spoofing an IP address that has previously authenticated. Check authentication logs for IP-based authentication patterns.Check Version:
Check Access Manager web interface version in admin panel or consult vendor documentation for version checking.Verify Fix Applied:
Verify that authentication now requires session tokens or cookies, not just IP address. Test that IP spoofing no longer grants access.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same IP in quick succession
- Authentication attempts from IP addresses that shouldn't have access
- Access from IPs without corresponding login events
Network Indicators:
- IP spoofing attempts detected by network security devices
- Unusual traffic patterns to Access Manager interface
SIEM Query:
source_ip=AccessManager AND (event_type="authentication_success" OR event_type="access_granted") | stats count by source_ip | where count > threshold