QwikSec

Security Database

CVE

CWE

Training

CVE-2025-59101

Published: Jan 26, 2026

Modified: Jan 26, 2026

PUBLISHED

Description

Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface.

Vendor	Product	Versions
dormakaba	Access Manager 92xx-k5	affected `92xx-K5: <XAMB 04.06.212`
dormakaba	Access Manager 92xx-k7	affected `92xx-K7: <BAME 04.07.268`

Weaknesses (CWE)

References

https://r.sec-consult.com/dormakaba

technical-description

https://r.sec-consult.com/dkaccess

third-party-advisory

https://www.dormakabagroup.com/en/security-advisories

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.