CVE-2025-59100

CVE-2025-59100 is a medium-severity vulnerability with a CVSS 4.0 base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-285.

Key facts

Description

The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more.

Frequently asked questions

What is CVE-2025-59100?
The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more.
How severe is CVE-2025-59100?
CVE-2025-59100 has a CVSS 4.0 base score of 5.9, rated medium severity.
Is CVE-2025-59100 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (43rd percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2025-59100?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2025-59100 have an EU (EUVD) identifier?
Yes. CVE-2025-59100 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2025-206364.
When was CVE-2025-59100 published?
CVE-2025-59100 was published on 2026-01-26 and last updated on 2026-06-17.

References

Other CWE-285 (Improper Authorization) vulnerabilities

Browse all CWE-285 (Improper Authorization) vulnerabilities →