Tracked as CVE-2025-10127, the flaw poses a severe risk to organizations worldwide that depend on Daikin’s security infrastructure to protect critical energy sector operations.
Security researchers from CISA discovered that a weak password recovery mechanism in the Daikin Security Gateway enables an authorization bypass through a user-controlled key vulnerability.
The recovery process fails to verify user identity properly, allowing an attacker to reset administrative credentials or directly gain system access without any prior authentication.
Public proof-of-concept exploits, authored by Gjoko Krstic, demonstrate how the flaw can be exploited remotely over a network, requiring no special privileges or user interaction.
Successful exploitation leads to full compromise of the confidentiality, integrity, and availability of affected systems.
The vulnerability impacts Daikin Security Gateway systems running application version 100 and firmware version 214.
These gateways are widely deployed across energy production and distribution facilities to monitor and control critical industrial processes.
An attacker who leverages the bypass can access sensitive process data, manipulate control configurations, and disrupt essential operations.
Given the network-based attack vector and low complexity, systems exposed to the internet or accessible from business networks face an urgent threat.
Organizations must assume that any instance of the affected gateway connected to external or corporate networks is vulnerable.
Publicly available exploits magnify the risk, as threat actors can integrate the PoC into automated toolsets for large-scale campaigns targeting energy sector infrastructure.
Daikin has controversially stated it will not issue a formal patch and will only address the issue on a case-by-case basis for individual customers.
As a result, the responsibility for protection falls entirely on organizations operating these gateways.
CISA strongly recommends isolating all control system devices from the internet by placing them behind firewalls and segregating them from business networks through air-gapping or strict network segmentation.
When remote access is unavoidable, organizations should employ secure VPN solutions, recognizing that VPN security depends on endpoint integrity.
Additional measures include reducing network exposure of control systems, implementing defense-in-depth strategies such as multi-layer authentication and intrusion detection, and performing comprehensive impact analyses before deploying any changes.
Regularly reviewing access logs and conducting security audits of ICS assets will help detect anomalous activities early.
| CVE Number | Affected Product | Vulnerability Type | CVSS 3.1 Score | CVSS 4.0 Score |
|---|---|---|---|---|
| CVE-2025-10127 | Daikin Security Gateway (App: 100, Frm: 214) | Weak Password Recovery Mechanism for Forgotten Password (CWE-640) | 9.8 (Critical) | 8.8 (High) |
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
The post Daikin Security Gateway Vulnerability Allows Unauthorized System Access appeared first on Cyber Security News.
Mother's Day lands on May 10 this year. This time around, why not get mom…
Ravensburger is one of my overall favorite puzzle brands that just so happens to have…
Call of Duty fans can breathe a sigh of relief as this year's entry will…
Fallout co-creator Tim Cain has shared his fear that some gamers are watching influencers just…
Similar to every other high-end GPU on the market, the AMD Radeon 9070 XT graphics…
Grand Theft Auto 6 won't be coming to PC when the game releases on November…
This website uses cookies.