Cyber Resilience

CVE-2025-59106

High

Published: 26 January 2026

Published
26 January 2026
Modified
12 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0068 47.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-59106 is a high-severity Least Privilege Violation (CWE-272) vulnerability in Dormakabagroup Dormakaba Access Manager 9200-K7 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2025-59106, published on 2026-01-26, is a least privilege violation (CWE-272) with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). It affects the binary in dormakaba access control systems, such as dkaccess, that serves the web server and executes actions initiated from the Web UI. This binary runs with root privileges, contravening the principle of least privilege and enabling potential escalation if initial code execution is achieved through other vulnerabilities.

An attacker with low privileges, such as an authenticated user with network access, can exploit this issue in conjunction with another vulnerability that allows code execution on the system. Successful exploitation grants direct execution of commands with root privileges, resulting in high-impact compromise of confidentiality, integrity, and availability.

Mitigation details are available in advisories from SEC Consult (https://r.sec-consult.com/dkaccess, https://r.sec-consult.com/dormakaba) and dormakaba (https://www.dormakabagroup.com/en/security-advisories).

EU & UK References

Vulnerability details

The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via…

more

other vulnerabilities it is possible to directly execute commands with highest privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a least-privilege violation where a web-server binary runs as root; this directly enables privilege escalation (T1068) once an attacker obtains any form of code execution via another vulnerability.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32655Shared CWE-272
CVE-2025-9711Shared CWE-272
CVE-2026-39459Shared CWE-272
CVE-2024-55954Shared CWE-272

Affected Assets

dormakabagroup
dormakaba access manager 9200-k7 firmware
≤ bame_06.00
dormakabagroup
dormakaba access manager 9230-k7 firmware
≤ bame_06.00
dormakabagroup
dormakaba access manager 9290-k7 firmware
≤ bame_06.00
dormakabagroup
dormakaba access manager 9200-k5 firmware
all versions
dormakabagroup
dormakaba access manager 9230-k5 firmware
all versions
dormakabagroup
dormakaba access manager 9290-k5 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-6 directly enforces least privilege, preventing the web server binary from running with root privileges and blocking escalation from code execution vulnerabilities.

prevent

CM-6 establishes secure configuration settings to run the binary under a non-root account with minimal privileges required for Web UI actions.

prevent

CM-7 restricts the binary to least functionality, reducing the need for root privileges and limiting compromise impact if initial code execution occurs.

References