CVE-2025-59097 Unauthenticated SOAP API in dormakaba access manager

🗓️ 26 Jan 2026 10:04:38Reported by SEC-VLabType

Unauthenticated SOAP API in dormakaba exos 9300 enables remote takeover of Access Managers via insecure default.

Reporter	Title	Published	Views	Family All 13
ATTACKERKB	CVE-2025-59102	26 Jan 202610:05	–	attackerkb
ATTACKERKB	CVE-2025-59097	26 Jan 202610:04	–	attackerkb
Circl	CVE-2025-59097	26 Jan 202612:16	–	circl
CNNVD	Dormakaba Access Manager security vulnerabilities	26 Jan 202600:00	–	cnnvd
CVE	CVE-2025-59097	26 Jan 202610:04	–	cve
EUVD	EUVD-2025-206361	26 Jan 202610:04	–	euvd
EUVD	EUVD-2025-206369	26 Jan 202610:05	–	euvd
NVD	CVE-2025-59097	26 Jan 202610:16	–	nvd
Positive Technologies	PT-2026-4747	26 Jan 202600:00	–	ptsecurity
Positive Technologies	PT-2026-4752	26 Jan 202600:00	–	ptsecurity

[
  {
    "defaultStatus": "affected",
    "product": "Access Manager 92xx-k5",
    "vendor": "dormakaba",
    "versions": [
      {
        "status": "affected",
        "version": "92xx-K5: All Versions"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "product": "Access Manager 92xx-k7",
    "vendor": "dormakaba",
    "versions": [
      {
        "status": "affected",
        "version": "92xx-K7: Older than BAME 06.00 must be configured"
      }
    ]
  }
]

Source	Link
dormakabagroup	www.dormakabagroup.com/en/security-advisories
r	www.r.sec-consult.com/dormakaba
r	www.r.sec-consult.com/dkaccess

26 Jan 2026 10:04Current

CVSS 49.3

EPSS0.00523