CVE-2025-59101 (GCVE-0-2025-59101)
Vulnerability from cvelistv5 – Published: 2026-01-26 10:05 – Updated: 2026-01-26 16:00
VLAI
Title
Insufficient Session Management in dormakaba access manager
Summary
Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-291 - Reliance on IP Address for Authentication
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://r.sec-consult.com/dormakaba | technical-description |
| https://r.sec-consult.com/dkaccess | third-party-advisory |
| https://www.dormakabagroup.com/en/security-advisories | vendor-advisory |
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| dormakaba | Access Manager 92xx-k5 |
Affected:
92xx-K5: <XAMB 04.06.212
|
|
| dormakaba | Access Manager 92xx-k7 |
Affected:
92xx-K7: <BAME 04.07.268
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-59101",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-26T15:59:56.135677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T16:00:07.304Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Access Manager 92xx-k5",
"vendor": "dormakaba",
"versions": [
{
"status": "affected",
"version": "92xx-K5: \u003cXAMB 04.06.212"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Access Manager 92xx-k7",
"vendor": "dormakaba",
"versions": [
{
"status": "affected",
"version": "92xx-K7: \u003cBAME 04.07.268"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Clemens Stockenreitner, SEC Consult Vulnerability Lab"
},
{
"lang": "en",
"type": "finder",
"value": "Werner Schober, SEC Consult Vulnerability Lab"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.\u003cbr\u003e"
}
],
"value": "Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface."
}
],
"impacts": [
{
"capecId": "CAPEC-593",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-593: Session Hijacking"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-291",
"description": "CWE-291: Reliance on IP Address for Authentication",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T10:05:20.665Z",
"orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"shortName": "SEC-VLab"
},
"references": [
{
"tags": [
"technical-description"
],
"url": "https://r.sec-consult.com/dormakaba"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://r.sec-consult.com/dkaccess"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.dormakabagroup.com/en/security-advisories"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "To secure the Access Manager 92xx, it is highly recommended to update to the latest FW, at least XAMB 04.06.212 RA.\u003cbr\u003e"
}
],
"value": "To secure the Access Manager 92xx, it is highly recommended to update to the latest FW, at least XAMB 04.06.212 RA."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Insufficient Session Management in dormakaba access manager",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
"assignerShortName": "SEC-VLab",
"cveId": "CVE-2025-59101",
"datePublished": "2026-01-26T10:05:20.665Z",
"dateReserved": "2025-09-09T07:53:12.879Z",
"dateUpdated": "2026-01-26T16:00:07.304Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-59101",
"date": "2026-07-02",
"epss": "0.00572",
"percentile": "0.43091"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-59101\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2026-01-26T10:16:07.850\",\"lastModified\":\"2026-06-17T09:45:33.210\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.\"},{\"lang\":\"es\",\"value\":\"En lugar de los tokens de sesi\u00f3n o cookies t\u00edpicos, se verifica por solicitud si la direcci\u00f3n IP de origen ha iniciado sesi\u00f3n con \u00e9xito alguna vez. Tan pronto como una solicitud de autenticaci\u00f3n de una determinada IP de origen es exitosa, la direcci\u00f3n IP se trata como autenticada. No se almacena ninguna otra informaci\u00f3n de sesi\u00f3n. Por lo tanto, es posible suplantar la direcci\u00f3n IP de un usuario que ha iniciado sesi\u00f3n para obtener acceso a la interfaz web del Administrador de Acceso.\"}],\"affected\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"affectedData\":[{\"vendor\":\"dormakaba\",\"product\":\"Access Manager 92xx-k5\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"92xx-K5: \u003cXAMB 04.06.212\",\"status\":\"affected\"}]},{\"vendor\":\"dormakaba\",\"product\":\"Access Manager 92xx-k7\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"92xx-K7: \u003cBAME 04.07.268\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-26T15:59:56.135677Z\",\"id\":\"CVE-2025-59101\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-291\"}]}],\"references\":[{\"url\":\"https://r.sec-consult.com/dkaccess\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"https://r.sec-consult.com/dormakaba\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"https://www.dormakabagroup.com/en/security-advisories\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"}]}}",
"vulnrichment": {
"containers": "{\"cna\": {\"affected\": [{\"defaultStatus\": \"unaffected\", \"product\": \"Access Manager 92xx-k5\", \"vendor\": \"dormakaba\", \"versions\": [{\"status\": \"affected\", \"version\": \"92xx-K5: \u003cXAMB 04.06.212\"}]}, {\"defaultStatus\": \"unaffected\", \"product\": \"Access Manager 92xx-k7\", \"vendor\": \"dormakaba\", \"versions\": [{\"status\": \"affected\", \"version\": \"92xx-K7: \u003cBAME 04.07.268\"}]}], \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Clemens Stockenreitner, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Werner Schober, SEC Consult Vulnerability Lab\"}], \"descriptions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.\u003cbr\u003e\"}], \"value\": \"Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.\"}], \"impacts\": [{\"capecId\": \"CAPEC-593\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-593: Session Hijacking\"}]}], \"metrics\": [{\"cvssV4_0\": {\"Automatable\": \"NOT_DEFINED\", \"Recovery\": \"NOT_DEFINED\", \"Safety\": \"NOT_DEFINED\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"attackVector\": \"NETWORK\", \"baseScore\": 7.7, \"baseSeverity\": \"HIGH\", \"exploitMaturity\": \"NOT_DEFINED\", \"privilegesRequired\": \"NONE\", \"providerUrgency\": \"NOT_DEFINED\", \"subAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"userInteraction\": \"PASSIVE\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"version\": \"4.0\", \"vulnAvailabilityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"format\": \"CVSS\", \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-291\", \"description\": \"CWE-291: Reliance on IP Address for Authentication\", \"lang\": \"en\", \"type\": \"CWE\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-01-26T10:05:20.665Z\"}, \"references\": [{\"tags\": [\"technical-description\"], \"url\": \"https://r.sec-consult.com/dormakaba\"}, {\"tags\": [\"third-party-advisory\"], \"url\": \"https://r.sec-consult.com/dkaccess\"}, {\"tags\": [\"vendor-advisory\"], \"url\": \"https://www.dormakabagroup.com/en/security-advisories\"}], \"solutions\": [{\"lang\": \"en\", \"supportingMedia\": [{\"base64\": false, \"type\": \"text/html\", \"value\": \"To secure the Access Manager 92xx, it is highly recommended to update to the latest FW, at least XAMB 04.06.212 RA.\u003cbr\u003e\"}], \"value\": \"To secure the Access Manager 92xx, it is highly recommended to update to the latest FW, at least XAMB 04.06.212 RA.\"}], \"source\": {\"discovery\": \"EXTERNAL\"}, \"title\": \"Insufficient Session Management in dormakaba access manager\", \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59101\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-26T15:59:56.135677Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-26T15:59:59.184Z\"}}]}",
"cveMetadata": "{\"cveId\": \"CVE-2025-59101\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"SEC-VLab\", \"dateReserved\": \"2025-09-09T07:53:12.879Z\", \"datePublished\": \"2026-01-26T10:05:20.665Z\", \"dateUpdated\": \"2026-01-26T16:00:07.304Z\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…