CVE-2025-59109

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).

CVSS

No CVSS.

References

Link	Resource
https://r.sec-consult.com/dkaccess
https://r.sec-consult.com/dormakaba
https://www.dormakabagroup.com/en/security-advisories
http://seclists.org/fulldisclosure/2026/Jan/24

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Las unidades de registro dormakaba 9002 (Unidades de teclado PIN) tienen un encabezado UART expuesto en la parte trasera. El teclado PIN está enviando cada pulsación de botón a la interfaz UART. Un atacante puede usar la interfaz para exfiltrar PINs. Dado que los dispositivos están explícitamente construidos como Plug-and-Play para ser fácilmente reemplazados, un atacante puede fácilmente retirar el dispositivo, instalar un implante de hardware que se conecta al UART y exfiltrar los datos expuestos a través de UART a otro sistema (p. ej., vía WiFi).

27 Jan 2026, 07:16

Type	Values Removed	Values Added
References		() http://seclists.org/fulldisclosure/2026/Jan/24 -

26 Jan 2026, 10:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-26 10:16

Updated : 2026-04-15 00:35

NVD link : CVE-2025-59109

Mitre link : CVE-2025-59109

CVE.ORG link : CVE-2025-59109

JSON object : View

Products Affected

No product.

CWE

CWE-1295

Debug Messages Revealing Unnecessary Information

{"id": "CVE-2025-59109", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-26T10:16:08.890", "references": [{"url": "https://r.sec-consult.com/dkaccess", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://r.sec-consult.com/dormakaba", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "https://www.dormakabagroup.com/en/security-advisories", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf"}, {"url": "http://seclists.org/fulldisclosure/2026/Jan/24", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "551230f0-3615-47bd-b7cc-93e92e730bbf", "description": [{"lang": "en", "value": "CWE-1295"}]}], "descriptions": [{"lang": "en", "value": "The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi)."}, {"lang": "es", "value": "Las unidades de registro dormakaba 9002 (Unidades de teclado PIN) tienen un encabezado UART expuesto en la parte trasera. El teclado PIN est\u00e1 enviando cada pulsaci\u00f3n de bot\u00f3n a la interfaz UART. Un atacante puede usar la interfaz para exfiltrar PINs. Dado que los dispositivos est\u00e1n expl\u00edcitamente construidos como Plug-and-Play para ser f\u00e1cilmente reemplazados, un atacante puede f\u00e1cilmente retirar el dispositivo, instalar un implante de hardware que se conecta al UART y exfiltrar los datos expuestos a trav\u00e9s de UART a otro sistema (p. ej., v\u00eda WiFi)."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "551230f0-3615-47bd-b7cc-93e92e730bbf"}