Navigation section

CVE-2025-10127: Daikin Security Gateway Pre-auth Password Reset Flaw

  • Thread Author
Daikin’s Security Gateway is affected by a critical pre‑authentication password‑reset flaw that lets an unauthenticated attacker reset device credentials to the factory default and take control of the appliance and any connected systems — the issue is tracked as CVE‑2025‑10127 and rated highly under modern scoring frameworks, with public proof‑of‑concept exploit code already available. (vulners.com) (vulners.com)

Hooded hacker at a data center watches a password reset allowed warning on screen.Background / Overview​

The vulnerability was discovered and publicly documented by researcher Gjoko “LiquidWorm” Krstic (ZeroScience Lab) and disclosed in an advisory identifying the root cause as a weak password‑recovery / authorization bypass in the Security Gateway’s password reset API (an IDOR‑style flaw and CWE‑640 class weakness). The affected product listing shows Daikin Security Gateway v214 (Application: 100, Firmware: 214) as vulnerable. (vulners.com)
This is not a low‑impact bug. The advisory and accompanying exploit descriptions show a direct path for an unauthenticated actor to reset the gateway’s admin credentials back to the default Daikin:Daikin values, which enables logins, configuration changes, and potential lateral movement to managed devices. Public exploit scripts have been posted to vulnerability repositories, increasing the immediacy of the threat for exposed devices. (vulners.com)
CISA’s standard operational guidance for industrial and building control systems — minimizing internet exposure, strong segmentation, firewalling, and using secure remote‑access gateways — remains applicable here as mitigation and compensating control advice until operators can apply vendor fixes or take protective steps.

What the vulnerability is, in plain language​

  • The Security Gateway exposes a password‑reset endpoint that trusts attacker‑controlled input or an improperly validated token/identifier.
  • Because the endpoint lacks adequate authorization checks, an attacker can issue a crafted POST request that triggers the gateway to reset its administrative account(s) to default credentials.
  • Once reset to factory credentials, an attacker can authenticate, access the web UI/API, change settings, create persistent accounts or backdoors, and control any functions the gateway exposes — including the cloud connectivity used by Daikin controllers.
Key technical labels and concepts:
  • Vulnerability class: Weak password recovery/authorization bypass (CWE‑640 / Missing or insufficient authentication checks).
  • Exploit type: Pre‑authentication IDOR / API authorization bypass that results in credential reset.
  • Affected component: Daikin Security Gateway (app: 100, frm: 214; Security Gateway v214 has been reported). (vulners.com)

Technical details and scoring (what defenders must know)​

  • The vulnerability has been assigned CVE‑2025‑10127 in public tracking references and is described in Zeroscience advisory ZSL‑2025‑5931. The published advisories and exploit entries detail how a simple unauthenticated HTTP POST can reset admin credentials. (vulners.com)
  • Public exploit templates and PoC code have been cataloged in exploit databases and mirrored pages (Exploit‑DB / Vulners entries), which make automated scanning and exploitation straightforward for opportunistic attackers. (vulners.com)
  • While vendor‑calculated CVSS vectors in some ICS advisories vary, the practical risk indicators are:
  • Attack vector: Network (remote).
  • Privileges required: None (pre‑auth).
  • User interaction: None.
  • Impact: High confidentiality, integrity, and availability risk for the gateway and downstream devices if the attacker can reach the management interface.
  • Because a credential reset restores default credentials, the attack trivially removes the primary barrier to administrative control, making any additional server‑side protections (if weak) moot after exploitation.

Proof‑of‑Concept and exploitability — why “proof” matters​

Public disclosure by a reputable researcher and mirrored PoC packages dramatically increase real‑world exploitability for these reasons:
  • PoC code reduces the technical barrier; automated scanners and mass‑exploitation scripts can be built quickly. (vulners.com)
  • The attack requires no authentication or special timing; as soon as an attacker can reach the reset endpoint, the device is at risk.
  • Gateway devices are often placed in networks that bridge OT/IT or provide remote access channels — meaning a single compromised gateway can be a pivot to other operational gear.
Practically, if your Security Gateway is internet‑accessible (directly or via misconfigured port forwarding), exploitation can occur from anywhere. If the gateway is only reachable from segmented OT networks but those networks are reachable from business systems (via poor segmentation), the risk remains material. Network reachability is the primary gating factor.

Vendor response and status — what’s verified and what is not​

  • The coordinated disclosure shows ZeroScience Lab reported the issue; the exploit details are public. (vulners.com)
  • The CISA advisory content the user provided indicates Daikin has stated it will not issue a patch for this vulnerability and will instead respond to individual user inquiries. That statement is consequential and must be treated as a strong operational signal for affected customers.
  • Independent, vendor‑published confirmation (for example, an official Daikin security advisory or Daikin PSIRT statement) was not found in public vendor pages at the time of writing in the datasets reviewed here; the researcher advisory and public exploit repositories document the technical facts and PoC. Because vendor posture decisions materially affect remediation and lifecycle planning, operators should verify directly with Daikin customer support or PSIRT whether a formal vendor advisory or firmware update exists for their exact model and region. (vulners.com)
Caveat: the claim “Daikin will not fix” may be true as reported to CISA or by third parties, but if you operate affected hardware you should confirm with Daikin support channels because vendor positions can change under customer pressure, regulatory attention, or after further triage.

Immediate risk evaluation for operators (energy and building systems)​

  • Impact to operations: High. Security Gateways are central to cloud connectivity and management of controllers; compromise can yield configuration changes, telemetry manipulation, or loss of availability for downstream assets.
  • Likelihood of exploitation: High for internet‑exposed or poorly segmented devices given public PoC availability. (vulners.com)
  • Practical scenario: An attacker resets the gateway, logs in using Daikin:Daikin, toggles remote connectivity or injects malicious settings, then uses the gateway’s management channels to alter connected HVAC/energy controllers or to pivot into building automation networks.
Given the Energy sector’s criticality and common deployment patterns of gateway appliances, the combination of high impact and available PoC makes this a high‑priority issue for affected operators.

Recommended mitigations and compensating controls (practical, step‑by‑step)​

Because vendor remediation may not be available or may be delayed, apply layered compensating controls immediately.
  • Inventory and profile (0–24 hours)
    1.1. Identify every deployed Daikin Security Gateway by serial number, software (App) and firmware (Frm) version. Note geographic/site location and network interfaces.
    1.2. Record whether the device’s management interfaces are reachable from enterprise or internet zones.
  • Isolate and block (immediate)
    2.1. Remove direct Internet exposure: block inbound access to the gateway management ports (HTTP, HTTPS, remote‑management ports) at perimeter firewalls and routers.
    2.2. If you must allow remote vendor access, require a vendor jump box or bastion host with strict IP allow‑listing and MFA; do not allow direct inbound traffic to the gateway.
    2.3. Use internal firewall rules to limit which hosts/subnets can reach the gateway management interface.
  • Change physical and account controls
    3.1. If you still have control of the gateway and can access it safely, change admin passwords immediately from default and disable remote password‑reset features where possible. Note: changing the password after the vulnerability exists does not prevent a future reset if the endpoint can be reached — but it reduces the chance of default‑credential access in configurations where the reset endpoint is restricted.
    3.2. Rotate any API keys, cloud credentials, or tokens that the gateway uses to connect to cloud services — revoke and reissue them where feasible.
  • Network segmentation and monitoring
    4.1. Place the gateway and all connected controllers on a dedicated OT management VLAN with egress filtered and only the minimum allowed services.
    4.2. Deploy network IDS/IPS rules to alert on suspicious POST requests to password reset endpoints, unusual authentication resets, and sudden configuration changes.
    4.3. Monitor syslog and audit trails for unexpected resets, repeated failed attempts, or admin logins from anomalous IP addresses.
  • For remote access and vendor maintenance
    5.1. Insist on secure remote management via vendor‑owned, audited portals or via VPNs terminated at known jump hosts with MFA.
    5.2. Use ephemeral access tokens and session recording for vendor sessions.
  • Test and plan for replacement
    6.1. If Daikin confirms no patch will be provided for the affected firmware, prepare a procurement and replacement roadmap for affected gateways. Treat unpatchable network‑facing appliances as high‑risk assets requiring accelerated replacement.
    6.2. If replacement is not immediately possible, ensure compensating controls (isolation, strict access controls, strong monitoring) remain in place and are validated.
A short prioritized checklist (for immediate action):
  • Block management interfaces from the Internet.
  • Verify device firmware and record serial numbers.
  • Limit management access to specific admin hosts.
  • Rotate credentials and cloud tokens.
  • Alert for password‑reset API calls and administrative configuration changes.
  • Contact Daikin support and document correspondence.
  • If vendor confirms “no patch,” schedule replacement.
CISA’s general ICS mitigation guidance (segmentation, not exposing control systems to the open Internet, use of VPNs with caution, etc.) should be followed in parallel as long‑term defense.

How to validate whether you’re vulnerable (technical steps)​

  • Identify the gateway’s firmware and application versions (via the device UI or command line). Confirm whether they match the affected identifiers (App: 100, Frm: 214) reported in advisories. (vulners.com)
  • From a controlled and logged management host, query the gateway’s management endpoints (HTTP(S)) to determine if the password reset endpoint is reachable — do not attempt exploitative POSTs on production systems; instead perform passive checks (e.g., page availability, URL presence).
  • If you find the endpoint reachable, assume the device is exploitable and apply immediate network blocks and isolation.
  • If you must test exploitation in a lab, perform tests on an offline copy or an isolated mirror device only, and follow responsible disclosure and organizational testing policies.
Note: Do not perform unchecked offensive testing on production devices; that can disrupt operations and produce legal/contractual consequences.

Broader implications (why this matters beyond a single gateway)​

  • Gateways like Daikin’s are commonly deployed in building automation and energy management; their compromise can not only disrupt comfort HVAC but also affect energy balancing, telemetry, and safety interlocks in integrated deployments.
  • The vulnerability class (pre‑auth reset / IDOR) is a recurring theme across IoT/OT devices and often stems from rushed web API designs without rigorous authorization checks.
  • Public PoC availability accelerates the risk timeline. In previous incidents where PoCs were published and devices remained exposed, scanning and mass exploitation followed within days. For ICS and energy operators, the cost of even short downtime can be significant.
Security posture across OT/IT must treat gateways as high‑value targets and prioritize network controls, asset inventories, and replacement strategies for unpatchable appliances.

Confirming facts, research attribution, and sources​

  • The vulnerability and PoC were published by Gjoko Krstic (ZeroScience Lab) under advisory ZSL‑2025‑5931; the advisory documents the remote password reset and provides technical details. (vulners.com)
  • Exploit copies and community PoC entries have appeared in public exploit trackers and vulnerability aggregators, increasing exploitability. (vulners.com)
  • CISA’s general mitigating controls for industrial/control devices (isolate from internet, segment networks, use VPNs cautiously, monitoring) are relevant here and reflected in the ICS guidance used by operators.
Important verification note: a claim in some advisory summaries that “Daikin will not fix this vulnerability” is significant for lifecycle planning. While this claim appears in advisory text provided to incident responders, operators must validate the vendor position directly with Daikin PSIRT or corporate support channels before making permanent procurement or replacement decisions.

Recommended incident response playbook (if you suspect compromise)​

  • Contain: Immediately block external access to the gateway and isolate it from networks with sensitive devices.
  • Preserve: Collect logs from the gateway, jump hosts, and any connected controllers; preserve forensic images if compromise is suspected.
  • Analyze: Look for evidence of administrative changes, new accounts, unexpected configuration changes, or outbound traffic to unknown hosts.
  • Eradicate: If compromise is confirmed, remove the gateway from service and rebuild from known‑good images or replace the device. Revoke and rotate any cloud or API credentials used by the gateway.
  • Recover: Restore operations only after validating that new credentials and hardened network controls are in place.
  • Report: Notify customers, suppliers, and regulatory bodies as required; report to national CERT/CISA if the incident affects critical infrastructure.
  • Review: Perform a post‑incident review and update procurement and patching workflows to prioritize replaceable or unpatchable network appliances.

Final analysis: strengths, weaknesses, and risk posture​

Strengths
  • Public disclosure by an experienced researcher produced rapid visibility and PoC availability, enabling defenders to test and implement mitigations.
  • Standard ICS hardening practices (segmentation, firewalling, controlled remote access) remain effective compensating controls when applied aggressively.
Weaknesses & Risks
  • Public PoC availability combined with a potential vendor decision not to patch leaves operators with tough choices: replace hardware quickly or sustain heavy compensating controls at operational cost. (vulners.com)
  • Gateways are often deployed with remote management enabled for convenience; this increases the attack surface and makes rapid exploitation more likely.
  • The energy and building sectors maintain long device lifecycles and may run legacy firmware that vendors no longer support, amplifying risk when a vendor declines to fix.
Operational recommendation
  • Treat any exposed Daikin Security Gateway instances as high‑risk assets until you can either (a) confirm a patched firmware is available from Daikin, or (b) isolate/replace the device. Follow the immediate mitigation checklist above and validate all vendor communications in writing.

Conclusion​

This vulnerability in the Daikin Security Gateway (CVE‑2025‑10127) illustrates how simple API design failures — a missing authorization check on a password reset function — can translate into immediate, high‑impact operational risk when PoC code becomes public. Defenders must move quickly: validate exposure, block remote access, rotate credentials and cloud tokens, add monitoring for exploit attempts, and engage directly with Daikin for clarification on vendor support and remediation. If Daikin confirms an absence of a vendor patch, operators should plan accelerated replacement of the gateway or accept the operational cost of strict isolation and heightened monitoring. Public PoCs are live; the window for action is short. (vulners.com)
Source: CISA Daikin Security Gateway | CISA
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Article Article
KEV Sept 2025: TP-Link TL-WA855RE Unauth Reset Flaw & WhatsApp Zero-Click Threat
Replies
0
Views
116
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Cisco FMC CVE-2025-20265: Pre-Auth RADIUS RCE Patch for Secure Firewall Management
Replies
0
Views
239
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Critical ABB BMS Flaws: Auth Bypass and DoS in ASPECT, NEXUS & MATRIX
Replies
0
Views
36
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Siemens SINUMERIK CVE-2025-40743: Patch VNC Auth Bypass in CNC Platforms
Replies
0
Views
149
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CISA KEV Adds CVE-2025-57819: FreePBX Endpoint Auth Bypass Leading to RCE
Replies
0
Views
221
ChatGPT
ChatGPT
Back
Top