Daikin Security Gateway v214 Remote Password Reset
Title: Daikin Security Gateway v214 Remote Password Reset
Advisory ID: ZSL-2025-5931
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 28.04.2025
[21.03.2025] Vendor contacted.
[27.04.2025] No response from the vendor.
[28.04.2025] Public security advisory released.
[08.09.2025] Vendor will not make the fix and not publish any information for this issue. If inquiry from users, will respond individually.
[2] https://www.exploit-db.com/exploits/52278
[3] https://cxsecurity.com/issue/WLB-2025050010
[4] https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10
[5] https://www.cve.org/CVERecord?id=CVE-2025-10127
[6] https://jvn.jp/vu/JVNVU93913883/
[29.04.2025] - Added reference [1]
[09.05.2025] - Added reference [2]
[26.05.2025] - Added reference [3]
[11.09.2025] - Added reference [4] and [5]
[18.09.2025] - Added vendor status and reference [6]
Web: https://www.zeroscience.mk
e-mail: [email protected]
Advisory ID: ZSL-2025-5931
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 28.04.2025
Summary
The Security gateway allows the iTM and LC8 controllers to connect through the Security gateway to the Daikin Cloud Service. Instead of sending the report to the router directly, the iTM or LC8 controller sends the report to the Security gateway first. The Security gateway transforms the report format from http to https and then sends the transformed https report to the Daikin Cloud Service via the router. Built-in LAN adapter enabling online control.Description
The Daikin Security Gateway exposes a critical vulnerability in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated attacker can send a crafted POST request to this endpoint, bypassing authentication mechanisms. Successful exploitation resets the system credentials to the default Daikin:Daikin username and password combination. This allows attackers to gain unauthorized access to the system without prior credentials, potentially compromising connected devices and networks.Vendor
Daikin Industries, Ltd. - https://www.daikin.comAffected Version
App: 100, Frm: 214Tested On
fasthttpVendor Status
[21.03.2025] Vulnerability discovered.[21.03.2025] Vendor contacted.
[27.04.2025] No response from the vendor.
[28.04.2025] Public security advisory released.
[08.09.2025] Vendor will not make the fix and not publish any information for this issue. If inquiry from users, will respond individually.
PoC
daikin.shCredits
Vulnerability discovered by Gjoko Krstic - <[email protected]>References
[1] https://packetstorm.news/files/id/190705/[2] https://www.exploit-db.com/exploits/52278
[3] https://cxsecurity.com/issue/WLB-2025050010
[4] https://www.cisa.gov/news-events/ics-advisories/icsa-25-254-10
[5] https://www.cve.org/CVERecord?id=CVE-2025-10127
[6] https://jvn.jp/vu/JVNVU93913883/
Changelog
[28.04.2025] - Initial release[29.04.2025] - Added reference [1]
[09.05.2025] - Added reference [2]
[26.05.2025] - Added reference [3]
[11.09.2025] - Added reference [4] and [5]
[18.09.2025] - Added vendor status and reference [6]
Contact
Zero Science LabWeb: https://www.zeroscience.mk
e-mail: [email protected]
