CVE-2025-59109

UART Leaking Sensitive Data in dormakaba registration unit 9002

CVSS 5.1 MEDIUMEPSS 0.5%CWE-1295

In short

The dormakaba 9002 PIN pad device has an exposed UART port on its back that transmits every button press, allowing an attacker to capture PINs. Since these devices are designed to be easily removed and replaced, an attacker can physically swap in a device with a hidden hardware implant to steal the PIN data.

Technical detail

An exposed UART interface on the dormakaba 9002 PIN pad transmits unencrypted keystroke data, including PINs. An attacker with physical access can remove the device and connect a hardware implant to exfiltrate this UART traffic to a remote system (e.g., via WiFi), compromising authentication credentials and bypassing access control mechanisms.

Summary generated and translated by AI from the official description.

The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

dormakaba · dormakaba registration unit 9002

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2026/Jan/24 https://r.sec-consult.com/dkaccess https://r.sec-consult.com/dormakaba https://www.dormakabagroup.com/en/security-advisories