CVE-2024-29916

MEDIUM

dormakaba Saflok - Unauthenticated Door Unlock via Forged Keycard

Title source: llm

Description

The dormakaba Saflok system before the November 2023 software update allows an attacker to unlock arbitrary doors at a property via forged keycards, if the attacker has obtained one active or expired keycard for the specific property, aka the "Unsaflok" issue. This occurs, in part, because the key derivation function relies only on a UID. This affects, for example, Saflok MT, and the Confidant, Quantum, RT, and Saffire series.

References (4)

Core 4

Core References

Various Sources

https://news.ycombinator.com/item?id=39779291

Various Sources

https://unsaflok.com

Various Sources

https://www.wired.com/story/saflok-hotel-lock-unsaflok-hack-technique/

Various Sources

https://www.youtube.com/watch?v=4cx0RUV7i0s

Scores

CVSS v3 5.6

EPSS 0.0032

EPSS Percentile 23.0%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-407

Status published

Published Mar 21, 2024

Tracked Since Feb 18, 2026