Description

The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more.

INFO

Published Date :

2026-01-26T10:05:11.306Z

Last Modified :

2026-01-26T16:00:38.237Z

Source :

SEC-VLab
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59100 vulnerability.

Vendors Products
Dormakaba
  • Access Manager
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59100.

URL Resource
https://r.sec-consult.com/dkaccess cve-icon cve-icon
https://r.sec-consult.com/dormakaba cve-icon cve-icon
https://www.dormakabagroup.com/en/security-advisories cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability