Description

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).

INFO

Published Date :

2026-01-26T10:06:45.739Z

Last Modified :

2026-03-03T18:11:39.321Z

Source :

SEC-VLab
AFFECTED PRODUCTS

The following products are affected by CVE-2025-59109 vulnerability.

Vendors Products
Dormakaba
  • Registration Unit 9002
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-59109.

URL Resource
http://seclists.org/fulldisclosure/2026/Jan/24 cve-icon
https://r.sec-consult.com/dkaccess cve-icon cve-icon
https://r.sec-consult.com/dormakaba cve-icon cve-icon
https://www.dormakabagroup.com/en/security-advisories cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability