dormakaba Access Manager Unauthenticated SOAP API Vulnerability Allowing Arbitrary Door Control

A critical vulnerability has been identified in the dormakaba Access Manager 9200-k5 and 9200-k7 hardware revisions, prior to the latest firmware updates. The issue lies in an unauthenticated SOAP API that allows attackers to manipulate the access manager's configuration and control connected devices, including opening doors and deactivating security inputs. This vulnerability can be exploited remotely, provided the attacker has network access to the access manager.

Impact

Exploitation of this vulnerability allows for unauthorized access control, including opening doors and reconfiguring the access manager's settings. This could lead to unauthorized entry into secured areas.

Reproduction

The vulnerability can be reproduced by sending a SOAP request to the access manager's API on port 8002. The request must include the identifier of the access manager and the command to be executed, such as opening a door or changing a configuration parameter. This can be done using a simple script or a tool like Burp Suite to automate the process.

Remediation

Users are advised to update to the latest firmware version and consult with their dormakaba partner for guidance on implementing the necessary security measures.