Daikin’s Security Gateway is affected by a critical pre‑authentication password‑reset flaw that lets an unauthenticated attacker reset device credentials to the factory default and take control of the appliance and any connected systems — the issue is tracked as CVE‑2025‑10127 and rated highly under modern scoring frameworks, with public proof‑of‑concept exploit code already available.  
		
		
	
	
The vulnerability was discovered and publicly documented by researcher Gjoko “LiquidWorm” Krstic (ZeroScience Lab) and disclosed in an advisory identifying the root cause as a weak password‑recovery / authorization bypass in the Security Gateway’s password reset API (an IDOR‑style flaw and CWE‑640 class weakness). The affected product listing shows Daikin Security Gateway v214 (Application: 100, Firmware: 214) as vulnerable. 
This is not a low‑impact bug. The advisory and accompanying exploit descriptions show a direct path for an unauthenticated actor to reset the gateway’s admin credentials back to the default Daikin aikin values, which enables logins, configuration changes, and potential lateral movement to managed devices. Public exploit scripts have been posted to vulnerability repositories, increasing the immediacy of the threat for exposed devices.
aikin values, which enables logins, configuration changes, and potential lateral movement to managed devices. Public exploit scripts have been posted to vulnerability repositories, increasing the immediacy of the threat for exposed devices. 
CISA’s standard operational guidance for industrial and building control systems — minimizing internet exposure, strong segmentation, firewalling, and using secure remote‑access gateways — remains applicable here as mitigation and compensating control advice until operators can apply vendor fixes or take protective steps.
Source: CISA Daikin Security Gateway | CISA
				
			
		
		
	
	
 Background / Overview
Background / Overview
The vulnerability was discovered and publicly documented by researcher Gjoko “LiquidWorm” Krstic (ZeroScience Lab) and disclosed in an advisory identifying the root cause as a weak password‑recovery / authorization bypass in the Security Gateway’s password reset API (an IDOR‑style flaw and CWE‑640 class weakness). The affected product listing shows Daikin Security Gateway v214 (Application: 100, Firmware: 214) as vulnerable. This is not a low‑impact bug. The advisory and accompanying exploit descriptions show a direct path for an unauthenticated actor to reset the gateway’s admin credentials back to the default Daikin
 aikin values, which enables logins, configuration changes, and potential lateral movement to managed devices. Public exploit scripts have been posted to vulnerability repositories, increasing the immediacy of the threat for exposed devices.
aikin values, which enables logins, configuration changes, and potential lateral movement to managed devices. Public exploit scripts have been posted to vulnerability repositories, increasing the immediacy of the threat for exposed devices. CISA’s standard operational guidance for industrial and building control systems — minimizing internet exposure, strong segmentation, firewalling, and using secure remote‑access gateways — remains applicable here as mitigation and compensating control advice until operators can apply vendor fixes or take protective steps.
What the vulnerability is, in plain language
- The Security Gateway exposes a password‑reset endpoint that trusts attacker‑controlled input or an improperly validated token/identifier.
- Because the endpoint lacks adequate authorization checks, an attacker can issue a crafted POST request that triggers the gateway to reset its administrative account(s) to default credentials.
- Once reset to factory credentials, an attacker can authenticate, access the web UI/API, change settings, create persistent accounts or backdoors, and control any functions the gateway exposes — including the cloud connectivity used by Daikin controllers.
- Vulnerability class: Weak password recovery/authorization bypass (CWE‑640 / Missing or insufficient authentication checks).
- Exploit type: Pre‑authentication IDOR / API authorization bypass that results in credential reset.
- Affected component: Daikin Security Gateway (app: 100, frm: 214; Security Gateway v214 has been reported).
Technical details and scoring (what defenders must know)
- The vulnerability has been assigned CVE‑2025‑10127 in public tracking references and is described in Zeroscience advisory ZSL‑2025‑5931. The published advisories and exploit entries detail how a simple unauthenticated HTTP POST can reset admin credentials.
- Public exploit templates and PoC code have been cataloged in exploit databases and mirrored pages (Exploit‑DB / Vulners entries), which make automated scanning and exploitation straightforward for opportunistic attackers.
- While vendor‑calculated CVSS vectors in some ICS advisories vary, the practical risk indicators are:
- Attack vector: Network (remote).
- Privileges required: None (pre‑auth).
- User interaction: None.
- Impact: High confidentiality, integrity, and availability risk for the gateway and downstream devices if the attacker can reach the management interface.
- Because a credential reset restores default credentials, the attack trivially removes the primary barrier to administrative control, making any additional server‑side protections (if weak) moot after exploitation.
Proof‑of‑Concept and exploitability — why “proof” matters
Public disclosure by a reputable researcher and mirrored PoC packages dramatically increase real‑world exploitability for these reasons:- PoC code reduces the technical barrier; automated scanners and mass‑exploitation scripts can be built quickly.
- The attack requires no authentication or special timing; as soon as an attacker can reach the reset endpoint, the device is at risk.
- Gateway devices are often placed in networks that bridge OT/IT or provide remote access channels — meaning a single compromised gateway can be a pivot to other operational gear.
Vendor response and status — what’s verified and what is not
- The coordinated disclosure shows ZeroScience Lab reported the issue; the exploit details are public.
- The CISA advisory content the user provided indicates Daikin has stated it will not issue a patch for this vulnerability and will instead respond to individual user inquiries. That statement is consequential and must be treated as a strong operational signal for affected customers.
- Independent, vendor‑published confirmation (for example, an official Daikin security advisory or Daikin PSIRT statement) was not found in public vendor pages at the time of writing in the datasets reviewed here; the researcher advisory and public exploit repositories document the technical facts and PoC. Because vendor posture decisions materially affect remediation and lifecycle planning, operators should verify directly with Daikin customer support or PSIRT whether a formal vendor advisory or firmware update exists for their exact model and region.
Immediate risk evaluation for operators (energy and building systems)
- Impact to operations: High. Security Gateways are central to cloud connectivity and management of controllers; compromise can yield configuration changes, telemetry manipulation, or loss of availability for downstream assets.
- Likelihood of exploitation: High for internet‑exposed or poorly segmented devices given public PoC availability.
- Practical scenario: An attacker resets the gateway, logs in using Daikin aikin, toggles remote connectivity or injects malicious settings, then uses the gateway’s management channels to alter connected HVAC/energy controllers or to pivot into building automation networks. aikin, toggles remote connectivity or injects malicious settings, then uses the gateway’s management channels to alter connected HVAC/energy controllers or to pivot into building automation networks.
Recommended mitigations and compensating controls (practical, step‑by‑step)
Because vendor remediation may not be available or may be delayed, apply layered compensating controls immediately.- Inventory and profile (0–24 hours)
 1.1. Identify every deployed Daikin Security Gateway by serial number, software (App) and firmware (Frm) version. Note geographic/site location and network interfaces.
 1.2. Record whether the device’s management interfaces are reachable from enterprise or internet zones.
- Isolate and block (immediate)
 2.1. Remove direct Internet exposure: block inbound access to the gateway management ports (HTTP, HTTPS, remote‑management ports) at perimeter firewalls and routers.
 2.2. If you must allow remote vendor access, require a vendor jump box or bastion host with strict IP allow‑listing and MFA; do not allow direct inbound traffic to the gateway.
 2.3. Use internal firewall rules to limit which hosts/subnets can reach the gateway management interface.
- Change physical and account controls
 3.1. If you still have control of the gateway and can access it safely, change admin passwords immediately from default and disable remote password‑reset features where possible. Note: changing the password after the vulnerability exists does not prevent a future reset if the endpoint can be reached — but it reduces the chance of default‑credential access in configurations where the reset endpoint is restricted.
 3.2. Rotate any API keys, cloud credentials, or tokens that the gateway uses to connect to cloud services — revoke and reissue them where feasible.
- Network segmentation and monitoring
 4.1. Place the gateway and all connected controllers on a dedicated OT management VLAN with egress filtered and only the minimum allowed services.
 4.2. Deploy network IDS/IPS rules to alert on suspicious POST requests to password reset endpoints, unusual authentication resets, and sudden configuration changes.
 4.3. Monitor syslog and audit trails for unexpected resets, repeated failed attempts, or admin logins from anomalous IP addresses.
- For remote access and vendor maintenance
 5.1. Insist on secure remote management via vendor‑owned, audited portals or via VPNs terminated at known jump hosts with MFA.
 5.2. Use ephemeral access tokens and session recording for vendor sessions.
- Test and plan for replacement
 6.1. If Daikin confirms no patch will be provided for the affected firmware, prepare a procurement and replacement roadmap for affected gateways. Treat unpatchable network‑facing appliances as high‑risk assets requiring accelerated replacement.
 6.2. If replacement is not immediately possible, ensure compensating controls (isolation, strict access controls, strong monitoring) remain in place and are validated.
- Block management interfaces from the Internet.
- Verify device firmware and record serial numbers.
- Limit management access to specific admin hosts.
- Rotate credentials and cloud tokens.
- Alert for password‑reset API calls and administrative configuration changes.
- Contact Daikin support and document correspondence.
- If vendor confirms “no patch,” schedule replacement.
How to validate whether you’re vulnerable (technical steps)
- Identify the gateway’s firmware and application versions (via the device UI or command line). Confirm whether they match the affected identifiers (App: 100, Frm: 214) reported in advisories.
- From a controlled and logged management host, query the gateway’s management endpoints (HTTP(S)) to determine if the password reset endpoint is reachable — do not attempt exploitative POSTs on production systems; instead perform passive checks (e.g., page availability, URL presence).
- If you find the endpoint reachable, assume the device is exploitable and apply immediate network blocks and isolation.
- If you must test exploitation in a lab, perform tests on an offline copy or an isolated mirror device only, and follow responsible disclosure and organizational testing policies.
Broader implications (why this matters beyond a single gateway)
- Gateways like Daikin’s are commonly deployed in building automation and energy management; their compromise can not only disrupt comfort HVAC but also affect energy balancing, telemetry, and safety interlocks in integrated deployments.
- The vulnerability class (pre‑auth reset / IDOR) is a recurring theme across IoT/OT devices and often stems from rushed web API designs without rigorous authorization checks.
- Public PoC availability accelerates the risk timeline. In previous incidents where PoCs were published and devices remained exposed, scanning and mass exploitation followed within days. For ICS and energy operators, the cost of even short downtime can be significant.
Confirming facts, research attribution, and sources
- The vulnerability and PoC were published by Gjoko Krstic (ZeroScience Lab) under advisory ZSL‑2025‑5931; the advisory documents the remote password reset and provides technical details.
- Exploit copies and community PoC entries have appeared in public exploit trackers and vulnerability aggregators, increasing exploitability.
- CISA’s general mitigating controls for industrial/control devices (isolate from internet, segment networks, use VPNs cautiously, monitoring) are relevant here and reflected in the ICS guidance used by operators.
Recommended incident response playbook (if you suspect compromise)
- Contain: Immediately block external access to the gateway and isolate it from networks with sensitive devices.
- Preserve: Collect logs from the gateway, jump hosts, and any connected controllers; preserve forensic images if compromise is suspected.
- Analyze: Look for evidence of administrative changes, new accounts, unexpected configuration changes, or outbound traffic to unknown hosts.
- Eradicate: If compromise is confirmed, remove the gateway from service and rebuild from known‑good images or replace the device. Revoke and rotate any cloud or API credentials used by the gateway.
- Recover: Restore operations only after validating that new credentials and hardened network controls are in place.
- Report: Notify customers, suppliers, and regulatory bodies as required; report to national CERT/CISA if the incident affects critical infrastructure.
- Review: Perform a post‑incident review and update procurement and patching workflows to prioritize replaceable or unpatchable network appliances.
Final analysis: strengths, weaknesses, and risk posture
Strengths- Public disclosure by an experienced researcher produced rapid visibility and PoC availability, enabling defenders to test and implement mitigations.
- Standard ICS hardening practices (segmentation, firewalling, controlled remote access) remain effective compensating controls when applied aggressively.
- Public PoC availability combined with a potential vendor decision not to patch leaves operators with tough choices: replace hardware quickly or sustain heavy compensating controls at operational cost.
- Gateways are often deployed with remote management enabled for convenience; this increases the attack surface and makes rapid exploitation more likely.
- The energy and building sectors maintain long device lifecycles and may run legacy firmware that vendors no longer support, amplifying risk when a vendor declines to fix.
- Treat any exposed Daikin Security Gateway instances as high‑risk assets until you can either (a) confirm a patched firmware is available from Daikin, or (b) isolate/replace the device. Follow the immediate mitigation checklist above and validate all vendor communications in writing.
Conclusion
This vulnerability in the Daikin Security Gateway (CVE‑2025‑10127) illustrates how simple API design failures — a missing authorization check on a password reset function — can translate into immediate, high‑impact operational risk when PoC code becomes public. Defenders must move quickly: validate exposure, block remote access, rotate credentials and cloud tokens, add monitoring for exploit attempts, and engage directly with Daikin for clarification on vendor support and remediation. If Daikin confirms an absence of a vendor patch, operators should plan accelerated replacement of the gateway or accept the operational cost of strict isolation and heightened monitoring. Public PoCs are live; the window for action is short.Source: CISA Daikin Security Gateway | CISA
