CVE-2025-59105
📋 TL;DR
This CVE describes a physical access vulnerability where attackers can desolder flash memory chips from Dormakaba K7 (Linux) and K5 (Windows CE) access control devices to read/modify unencrypted sensitive data. Attackers can gain root SSH access on K7 models or extract plaintext passwords from K5 databases. Organizations using these physical access control systems are affected.
💻 Affected Systems
- Dormakaba K7 access control system
- Dormakaba K5 access control system
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete physical security compromise: attackers gain permanent unauthorized access to secured facilities by modifying device firmware/credentials, potentially creating backdoors that persist even after device replacement.
Likely Case
Targeted physical attacks on high-security facilities where attackers have extended physical access to devices, allowing credential theft and unauthorized access creation.
If Mitigated
Limited impact if devices are in physically secure locations with tamper detection, regular firmware validation, and network segmentation preventing lateral movement.
🎯 Exploit Status
Requires physical access, soldering equipment, and technical skill to desolder/replace flash memory chips. No authentication needed once physical access obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: No
Instructions:
No software patch available. Contact Dormakaba for hardware replacement options or physical security recommendations.
🔧 Temporary Workarounds
Physical Security Hardening
allImplement tamper-evident enclosures, surveillance, and access controls to prevent physical device access
Network Segmentation
allIsolate access control systems on separate VLANs to limit lateral movement if compromised
🧯 If You Can't Patch
- Deploy tamper-evident seals and surveillance cameras monitoring all access control devices
- Implement regular physical inspections and firmware integrity checks using cryptographic hashes
🔍 How to Verify
Check if Vulnerable:
Check device model: if Dormakaba K7 or K5, assume vulnerable. Physically inspect for flash memory encryption (typically not user-verifiable).Check Version:
Not applicable - hardware vulnerability, not version dependentVerify Fix Applied:
No software fix available. Verify physical security controls are implemented and devices are in secure locations.📡 Detection & Monitoring
Log Indicators:
- Unexpected device reboots
- SSH login attempts from unknown IPs (K7)
- Access Manager password changes (K5)
Network Indicators:
- Unusual network traffic from access control devices
- SSH connections from unexpected locations
SIEM Query:
DeviceType="Dormakaba K7" OR DeviceType="Dormakaba K5" AND (EventType="PhysicalTamper" OR AuthenticationFailureCount>5)