Daikin Security Gateway v214 Remote Password Reset

Title: Daikin Security Gateway v214 Remote Password Reset
Advisory ID: ZSL-2025-5931
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 28.04.2025

Summary

The Security gateway allows the iTM and LC8 controllers to connect through the Security gateway to the Daikin Cloud Service. Instead of sending the report to the router directly, the iTM or LC8 controller sends the report to the Security gateway first. The Security gateway transforms the report format from http to https and then sends the transformed https report to the Daikin Cloud Service via the router. Built-in LAN adapter enabling online control.

Description

The Daikin Security Gateway exposes a critical vulnerability in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated attacker can send a crafted POST request to this endpoint, bypassing authentication mechanisms. Successful exploitation resets the system credentials to the default Daikin:Daikin username and password combination. This allows attackers to gain unauthorized access to the system without prior credentials, potentially compromising connected devices and networks.

Vendor

Daikin Industries, Ltd. - https://www.daikin.com

Affected Version

App: 100, Frm: 214

Tested On

fasthttp

Vendor Status

[21.03.2025] Vulnerability discovered.
[21.03.2025] Vendor contacted.
[27.04.2025] No response from the vendor.
[28.04.2025] Public security advisory released.

PoC

daikin.sh

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

N/A

Changelog

[28.04.2025] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]