Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Vulnerabilities

With the aim of informing, warning and helping professionals with the latest security vulnerabilities in technology systems, we have made a database available for users interested in this information, which is in Spanish and includes all of the latest documented and recognised vulnerabilities.

This repository, with over 75,000 registers, is based on the information from the NVD (National Vulnerability Database) – by virtue of a partnership agreement – through which INCIBE translates the included information into Spanish.

On occasions this list will show vulnerabilities that have still not been translated, as they are added while the INCIBE team is still carrying out the translation process. The CVE  (Common Vulnerabilities and Exposures) Standard for Information Security Vulnerability Names is used with the aim to support the exchange of information between different tools and databases.

All vulnerabilities collected are linked to different information sources, as well as available patches or solutions provided by manufacturers and developers. It is possible to carry out advanced searches, as there is the option to select different criteria to narrow down the results, some examples being vulnerability types, manufacturers and impact levels, among others.

Through RSS feeds or Newsletters we can be informed daily about the latest vulnerabilities added to the repository. Below there is a list, updated daily, where you can discover the latest vulnerabilities.

CVE-2026-24656
Publication date:
26/01/2026
Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter.<br /> <br /> <br /> The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed.<br /> It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS.<br /> <br /> <br /> NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue.<br /> <br /> This issue affects Apache Karaf Decanter before 2.12.0.<br /> <br /> Users are recommended to upgrade to version 2.12.0, which fixes the issue.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2025-59103
Publication date:
26/01/2026
The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet.
Severity CVSS v4.0: CRITICAL
Last modification:
26/01/2026

CVE-2025-59104
Publication date:
26/01/2026
With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus, the attacker gains access to the bootloader, where the kernel command line can be changed. An attacker is able to gain a root shell through this vulnerability.
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026

CVE-2025-59105
Publication date:
26/01/2026
With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as "/etc/passwd", as well as stored certificates, cryptographic keys, stored PINs and so on can be modified and read, in order to gain SSH root access on the Linux-based K7 model. On the Windows CE based K5 model, the password for the Access Manager can additionally be read in plain text from the stored SQLite database.
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026

CVE-2025-59106
Publication date:
26/01/2026
The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.
Severity CVSS v4.0: Pending analysis
Last modification:
26/01/2026

CVE-2025-59107
Publication date:
26/01/2026
Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP and extract the firmware is set statically and can be extracted. This password was valid for multiple observed firmware versions.
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026

CVE-2025-59108
Publication date:
26/01/2026
By default, the password for the Access Manager&amp;#39;s web interface, is set to &amp;#39;admin&amp;#39;. In the tested version changing the password was not enforced.
Severity CVSS v4.0: CRITICAL
Last modification:
26/01/2026

CVE-2025-59109
Publication date:
26/01/2026
The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).
Severity CVSS v4.0: MEDIUM
Last modification:
26/01/2026

CVE-2025-59096
Publication date:
26/01/2026
The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation.
Severity CVSS v4.0: MEDIUM
Last modification:
26/01/2026

CVE-2025-59097
Publication date:
26/01/2026
The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.<br /> <br /> This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication:<br /> - Re-configure Access Managers (e.g. remove alarming system requirements)<br /> - Freely re-configure the inputs and outputs<br /> - Open all connected doors permanently<br /> - Open all doors for a defined time interval<br /> - Change the admin password<br /> - and many more<br /> <br /> Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet.
Severity CVSS v4.0: CRITICAL
Last modification:
26/01/2026

CVE-2025-59098
Publication date:
26/01/2026
The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket. A tool called TraceClient.exe, provided by dormakaba via the Access Manager web interface, is used to connect to the socket and receive debug information. The data is permanently broadcasted on the TCP socket. The socket can be accessed without any authentication or encryption. <br /> <br /> The transmitted data is based on the set verbosity level. The verbosity level can be set using the http(s) endpoint with the service interface password or with the guessable identifier of the device via the SOAP interface.<br /> <br /> The transmitted data contains sensitive data like the Card ID as well as all button presses on Registration units. This allows an attacker with network level access to retrieve all entered PINs on a registration unit.
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026

CVE-2025-59099
Publication date:
26/01/2026
The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication. <br /> <br /> Hence, it is possible to retrieve all files stored on the file system, including the SQLite database Database.sq3, containing badge information and the corresponding PIN codes. Additionally, when trying to access certain files, the web server crashes and becomes unreachable for about 60 seconds. This can be abused to continuously send the request and cause denial of service.
Severity CVSS v4.0: HIGH
Last modification:
26/01/2026
Subscribe to Vulnerabilities