Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for dormakaba registration unit 9002 by dormakaba

    CVE-2025-59109 (GCVE-0-2025-59109)

    Vulnerability from nvd – Published: 2026-01-26 10:06 – Updated: 2026-03-03 18:11
    VLAI
    Title
    UART Leaking Sensitive Data in dormakaba registration unit 9002
    Summary
    The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1295 - Debug Messages Revealing Unnecessary Information
    Assigner
    Impacted products
    Credits
    Clemens Stockenreitner, SEC Consult Vulnerability Lab Werner Schober, SEC Consult Vulnerability Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-01-27T06:06:05.350Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://seclists.org/fulldisclosure/2026/Jan/24"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59109",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T12:24:28.914159Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T18:11:39.321Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "dormakaba registration unit 9002",
              "vendor": "dormakaba",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003cSW0039"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Clemens Stockenreitner, SEC Consult Vulnerability Lab"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Werner Schober, SEC Consult Vulnerability Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).\u003cbr\u003e"
                }
              ],
              "value": "The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-121",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-121: Exploit Non-Production Interfaces"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1295",
                  "description": "CWE-1295: Debug Messages Revealing Unnecessary Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-26T10:06:45.739Z",
            "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
            "shortName": "SEC-VLab"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://r.sec-consult.com/dormakaba"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://r.sec-consult.com/dkaccess"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.dormakabagroup.com/en/security-advisories"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If the 9002 is installed in an insecure location, it could be manipulated. Hardware access and special equipment is needed to exploit this vulnerability. Also, the manipulated device would need to be reinstalled. To mitigate this vulnerability for 9002 in insecure locations, a newer version of the 9002 (Serial number starts with: 0700039\u2026) could be installed. Important: The version of the installed 9002 can only be checked on-site.\u003cbr\u003e"
                }
              ],
              "value": "If the 9002 is installed in an insecure location, it could be manipulated. Hardware access and special equipment is needed to exploit this vulnerability. Also, the manipulated device would need to be reinstalled. To mitigate this vulnerability for 9002 in insecure locations, a newer version of the 9002 (Serial number starts with: 0700039\u2026) could be installed. Important: The version of the installed 9002 can only be checked on-site."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "UART Leaking Sensitive Data in dormakaba registration unit 9002",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "assignerShortName": "SEC-VLab",
        "cveId": "CVE-2025-59109",
        "datePublished": "2026-01-26T10:06:45.739Z",
        "dateReserved": "2025-09-09T07:53:12.880Z",
        "dateUpdated": "2026-03-03T18:11:39.321Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2025-59109 (GCVE-0-2025-59109)

    Vulnerability from cvelistv5 – Published: 2026-01-26 10:06 – Updated: 2026-03-03 18:11
    VLAI
    Title
    UART Leaking Sensitive Data in dormakaba registration unit 9002
    Summary
    The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1295 - Debug Messages Revealing Unnecessary Information
    Assigner
    Impacted products
    Credits
    Clemens Stockenreitner, SEC Consult Vulnerability Lab Werner Schober, SEC Consult Vulnerability Lab
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2026-01-27T06:06:05.350Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "url": "http://seclists.org/fulldisclosure/2026/Jan/24"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-59109",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-01-26T12:24:28.914159Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T18:11:39.321Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "dormakaba registration unit 9002",
              "vendor": "dormakaba",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003cSW0039"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Clemens Stockenreitner, SEC Consult Vulnerability Lab"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Werner Schober, SEC Consult Vulnerability Lab"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).\u003cbr\u003e"
                }
              ],
              "value": "The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi)."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-121",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-121: Exploit Non-Production Interfaces"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "exploitMaturity": "NOT_DEFINED",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "ACTIVE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "NONE",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1295",
                  "description": "CWE-1295: Debug Messages Revealing Unnecessary Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-01-26T10:06:45.739Z",
            "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
            "shortName": "SEC-VLab"
          },
          "references": [
            {
              "tags": [
                "technical-description"
              ],
              "url": "https://r.sec-consult.com/dormakaba"
            },
            {
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://r.sec-consult.com/dkaccess"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.dormakabagroup.com/en/security-advisories"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "If the 9002 is installed in an insecure location, it could be manipulated. Hardware access and special equipment is needed to exploit this vulnerability. Also, the manipulated device would need to be reinstalled. To mitigate this vulnerability for 9002 in insecure locations, a newer version of the 9002 (Serial number starts with: 0700039\u2026) could be installed. Important: The version of the installed 9002 can only be checked on-site.\u003cbr\u003e"
                }
              ],
              "value": "If the 9002 is installed in an insecure location, it could be manipulated. Hardware access and special equipment is needed to exploit this vulnerability. Also, the manipulated device would need to be reinstalled. To mitigate this vulnerability for 9002 in insecure locations, a newer version of the 9002 (Serial number starts with: 0700039\u2026) could be installed. Important: The version of the installed 9002 can only be checked on-site."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "UART Leaking Sensitive Data in dormakaba registration unit 9002",
          "x_generator": {
            "engine": "Vulnogram 0.5.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "assignerShortName": "SEC-VLab",
        "cveId": "CVE-2025-59109",
        "datePublished": "2026-01-26T10:06:45.739Z",
        "dateReserved": "2025-09-09T07:53:12.880Z",
        "dateUpdated": "2026-03-03T18:11:39.321Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }