Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-59109

Summary
Assigner-SEC-VLab
Assigner Org ID-551230f0-3615-47bd-b7cc-93e92e730bbf
Published At-26 Jan, 2026 | 10:06
Updated At-03 Mar, 2026 | 18:11
Rejected At-
Credits

UART Leaking Sensitive Data in dormakaba registration unit 9002

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SEC-VLab
Assigner Org ID:551230f0-3615-47bd-b7cc-93e92e730bbf
Published At:26 Jan, 2026 | 10:06
Updated At:03 Mar, 2026 | 18:11
Rejected At:
▼CVE Numbering Authority (CNA)
UART Leaking Sensitive Data in dormakaba registration unit 9002

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).

Affected Products
Vendor
dormakaba
Product
dormakaba registration unit 9002
Default Status
unaffected
Versions
Affected
  • <SW0039
Problem Types
TypeCWE IDDescription
CWECWE-1295CWE-1295: Debug Messages Revealing Unnecessary Information
Type: CWE
CWE ID: CWE-1295
Description: CWE-1295: Debug Messages Revealing Unnecessary Information
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-121CAPEC-121: Exploit Non-Production Interfaces
CAPEC ID: CAPEC-121
Description: CAPEC-121: Exploit Non-Production Interfaces
Solutions

If the 9002 is installed in an insecure location, it could be manipulated. Hardware access and special equipment is needed to exploit this vulnerability. Also, the manipulated device would need to be reinstalled. To mitigate this vulnerability for 9002 in insecure locations, a newer version of the 9002 (Serial number starts with: 0700039…) could be installed. Important: The version of the installed 9002 can only be checked on-site.

Configurations
Workarounds
Exploits
Credits
finder
Clemens Stockenreitner, SEC Consult Vulnerability Lab
finder
Werner Schober, SEC Consult Vulnerability Lab
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://r.sec-consult.com/dormakaba
technical-description
https://r.sec-consult.com/dkaccess
third-party-advisory
https://www.dormakabagroup.com/en/security-advisories
vendor-advisory
Hyperlink: https://r.sec-consult.com/dormakaba
Resource:
technical-description
Hyperlink: https://r.sec-consult.com/dkaccess
Resource:
third-party-advisory
Hyperlink: https://www.dormakabagroup.com/en/security-advisories
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://seclists.org/fulldisclosure/2026/Jan/24
N/A
Hyperlink: http://seclists.org/fulldisclosure/2026/Jan/24
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:551230f0-3615-47bd-b7cc-93e92e730bbf
Published At:26 Jan, 2026 | 10:16
Updated At:27 Jan, 2026 | 07:16

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-1295Secondary551230f0-3615-47bd-b7cc-93e92e730bbf
CWE ID: CWE-1295
Type: Secondary
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://r.sec-consult.com/dkaccess551230f0-3615-47bd-b7cc-93e92e730bbf
N/A
https://r.sec-consult.com/dormakaba551230f0-3615-47bd-b7cc-93e92e730bbf
N/A
https://www.dormakabagroup.com/en/security-advisories551230f0-3615-47bd-b7cc-93e92e730bbf
N/A
http://seclists.org/fulldisclosure/2026/Jan/24af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://r.sec-consult.com/dkaccess
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf
Resource: N/A
Hyperlink: https://r.sec-consult.com/dormakaba
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf
Resource: N/A
Hyperlink: https://www.dormakabagroup.com/en/security-advisories
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf
Resource: N/A
Hyperlink: http://seclists.org/fulldisclosure/2026/Jan/24
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found