Dormakaba Access Manager 92xx-k7
8 CVEs affecting Dormakaba Access Manager 92xx-k7. Latest disclosed: 2026-01-26. Critical: 0, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-59108 | | 2026-01-26 | By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced. | |
CVE-2025-59106 | | 2026-01-26 | The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privi… | |
CVE-2025-59105 | | 2026-01-26 | With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Th… | |
CVE-2025-59104 | | 2026-01-26 | With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus… | |
CVE-2025-59101 | | 2026-01-26 | Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as a… | |
CVE-2025-59099 | | 2026-01-26 | The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which all… | |
CVE-2025-59098 | | 2026-01-26 | The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket… | |
CVE-2025-59097 | | 2026-01-26 | The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the d… |