By rssfeeds-admin Tracked as CVE-2025-10127, the flaw poses a severe risk to organizations worldwide that depend on Daikin’s security infrastructure to protect critical energy sector operations.
Weak Password Recovery Mechanism Enables Bypass
Security researchers from CISA discovered that a weak password recovery mechanism in the Daikin Security Gateway enables an authorization bypass through a user-controlled key vulnerability.
The recovery process fails to verify user identity properly, allowing an attacker to reset administrative credentials or directly gain system access without any prior authentication.
Public proof-of-concept exploits, authored by Gjoko Krstic, demonstrate how the flaw can be exploited remotely over a network, requiring no special privileges or user interaction.
Successful exploitation leads to full compromise of the confidentiality, integrity, and availability of affected systems.
Global Impact on Energy Sector Infrastructure
The vulnerability impacts Daikin Security Gateway systems running application version 100 and firmware version 214.
These gateways are widely deployed across energy production and distribution facilities to monitor and control critical industrial processes.
An attacker who leverages the bypass can access sensitive process data, manipulate control configurations, and disrupt essential operations.
Given the network-based attack vector and low complexity, systems exposed to the internet or accessible from business networks face an urgent threat.
Organizations must assume that any instance of the affected gateway connected to external or corporate networks is vulnerable.
Publicly available exploits magnify the risk, as threat actors can integrate the PoC into automated toolsets for large-scale campaigns targeting energy sector infrastructure.
Daikin has controversially stated it will not issue a formal patch and will only address the issue on a case-by-case basis for individual customers.
As a result, the responsibility for protection falls entirely on organizations operating these gateways.
CISA strongly recommends isolating all control system devices from the internet by placing them behind firewalls and segregating them from business networks through air-gapping or strict network segmentation.
When remote access is unavoidable, organizations should employ secure VPN solutions, recognizing that VPN security depends on endpoint integrity.
Additional measures include reducing network exposure of control systems, implementing defense-in-depth strategies such as multi-layer authentication and intrusion detection, and performing comprehensive impact analyses before deploying any changes.
Regularly reviewing access logs and conducting security audits of ICS assets will help detect anomalous activities early.
| CVE Number | Affected Product | Vulnerability Type | CVSS 3.1 Score | CVSS 4.0 Score |
|---|---|---|---|---|
| CVE-2025-10127 | Daikin Security Gateway (App: 100, Frm: 214) | Weak Password Recovery Mechanism for Forgotten Password (CWE-640) | 9.8 (Critical) | 8.8 (High) |
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Daikin Security Gateway Vulnerability Allows Unauthorized System Access appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.