CVE-2025-59106
📋 TL;DR
This CVE describes a privilege escalation vulnerability where the web server binary runs with root privileges, violating the principle of least privilege. If an attacker gains code execution through other vulnerabilities, they can directly execute commands with highest privileges. This affects systems running vulnerable versions of dormakaba access control software.
💻 Affected Systems
- dormakaba access control systems
📦 What is this software?
Dormakaba Access Manager 9200 K5 Firmware by Dormakabagroup
View all CVEs affecting Dormakaba Access Manager 9200 K5 Firmware →
Dormakaba Access Manager 9200 K7 Firmware by Dormakabagroup
View all CVEs affecting Dormakaba Access Manager 9200 K7 Firmware →
Dormakaba Access Manager 9230 K5 Firmware by Dormakabagroup
View all CVEs affecting Dormakaba Access Manager 9230 K5 Firmware →
Dormakaba Access Manager 9230 K7 Firmware by Dormakabagroup
View all CVEs affecting Dormakaba Access Manager 9230 K7 Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level access, allowing attackers to install persistent backdoors, steal sensitive data, disrupt physical access control systems, and pivot to other network resources.
Likely Case
Attackers who exploit initial access vulnerabilities can escalate to root privileges, gaining full control over the access control system and potentially manipulating physical security controls.
If Mitigated
With proper network segmentation and access controls, impact is limited to the affected system, preventing lateral movement and protecting other critical infrastructure.
🎯 Exploit Status
Requires initial code execution through other vulnerabilities to exploit the privilege escalation. Not directly exploitable without other attack vectors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Consult vendor advisory for specific patched versions
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: Yes
Instructions:
1. Review vendor security advisory. 2. Identify affected product versions. 3. Apply vendor-provided patches. 4. Restart affected services/systems. 5. Verify the web server no longer runs as root.
🔧 Temporary Workarounds
Run web server as non-root user
linuxConfigure the web server binary to run with a dedicated, limited-privilege user account instead of root
# Create dedicated user
sudo useradd -r -s /bin/false websrv_user
# Change binary ownership
sudo chown websrv_user:websrv_user /path/to/webserver_binary
# Update service configuration to run as new user
Implement strict network controls
linuxRestrict network access to the web UI to only authorized management stations
# Example iptables rule
sudo iptables -A INPUT -p tcp --dport [WEB_PORT] -s [TRUSTED_IP] -j ACCEPT
sudo iptables -A INPUT -p tcp --dport [WEB_PORT] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from critical infrastructure
- Deploy application control/whitelisting to prevent unauthorized binary execution
🔍 How to Verify
Check if Vulnerable:
Check if web server process runs as root: 'ps aux | grep [webserver_process]' and verify UID is 0 or username is rootCheck Version:
Consult vendor documentation for version checking specific to dormakaba productsVerify Fix Applied:
After patching/config changes, verify web server process runs as non-root user using same ps command📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation attempts
- Web server process spawning child processes with root privileges
- Authentication failures followed by process privilege changes
Network Indicators:
- Unusual outbound connections from access control system
- Unexpected traffic to/from web UI port from unauthorized sources
SIEM Query:
process_name="[webserver_binary]" AND user="root" OR process_parent_name="[webserver_binary]" AND user="root"