A critical pre-authentication password reset vulnerability in Daikin Security Gateways, tracked as CVE-2025-10127, has entered a dangerous phase: public proof-of-concept exploit code is circulating, yet the vendor has informed CISA that no patch will be issued. The flaw allows unauthenticated attackers to reset device administrative credentials back to factory defaults, seizing full control of the gateway and any connected building automation or energy management systems. With affected devices deployed worldwide across the energy sector, operators must immediately apply compensating controls or risk targeted intrusions.
What Is the Daikin Security Gateway?
The Daikin Security Gateway is a network appliance that bridges on-site HVAC and building controllers to cloud management platforms. It centralizes configuration, monitoring, and remote access for heating, ventilation, air conditioning, and energy equipment. Compromise of such a gateway gives an attacker a pivot point into operational technology (OT) networks, where they can manipulate physical processes or exfiltrate sensitive telemetry.
Technical Details of the Vulnerability
Researcher Gjoko “LiquidWorm” Krstic of ZeroScience Lab publicly disclosed the flaw on August 29, 2025, in advisory ZSL-2025-15931. The root cause is a missing authorization check on the gateway’s password reset API endpoint—a classic Insecure Direct Object Reference (IDOR) or CWE-640 weakness. By crafting a specially formatted HTTP POST request, an attacker can force the device to restore the default credentials “Daikin:Daikin” without any prior authentication.
Affected versions are Daikin Security Gateway with App: 100 and Firmware: 214. CISA’s advisory (ICSA-25-254-10) assigns a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and a CVSS v4 score of 8.8. Despite the high severity, Daikin Europe N.V. stated to CISA that they will not fix the vulnerability and will instead respond to individual user inquiries.
Public Exploit Code Lowers the Bar
Multiple exploit databases now mirror Krstic’s proof-of-concept script. The code simply sends a request to the vulnerable endpoint, requiring no authentication or user interaction. Script kiddies and automated scanners can easily weaponize this, putting any Internet-exposed gateway at immediate risk. Even devices tucked behind firewalls but reachable from enterprise networks remain vulnerable if lateral movement is possible.
CISA’s advisory notes that “no known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.” However, the public availability of PoC code signals that mass exploitation may follow swiftly, as seen in past ICS vulnerabilities.
Who Is Affected?
The Daikin Security Gateway is deployed globally, with a heavy concentration in the energy critical infrastructure sector. Building management systems in commercial real estate, data centers, hospitals, and industrial plants often rely on these gateways. Because the devices sit in network paths that link IT and OT, a breach can have cascading consequences—from altered temperature setpoints to full loss of environmental control or even safety interlocks.
Vendor Response: No Patch Coming
In a stark departure from typical vulnerability-handling practices, Daikin Europe N.V. told CISA that no patch will be provided. Instead, the vendor will handle issues on a per-case basis through customer support. This stance forces operators into a corner: either accept the risk while layering on compensating controls, or replace the hardware entirely. Given the long lifecycles of building automation equipment, immediate replacement may be impractical, making rigorous isolation the most viable short-term defense.
Mitigations That Must Be Applied Now
Without a patch, network administrators must treat every Daikin Security Gateway as a high-risk asset until further notice. CISA and independent security analysts recommend the following immediate actions:
- Inventory all gateways – Record models, firmware/app versions, and network segment placement. Confirm whether management interfaces are reachable from enterprise or Internet zones.
- Block external access – Use perimeter firewalls to deny all inbound traffic to the gateway’s HTTP/HTTPS management ports. If remote vendor access is necessary, enforce strict IP allow-listing, multi-factor authentication, and use a jump host rather than direct exposure.
- Isolate internally – Place gateways and connected controllers on a dedicated VLAN with egress filtering. Only permit inbound connections from authorized management workstations.
- Change default credentials immediately – Even though the vulnerability can reset them, having non-default passwords reduces the chance of opportunistic attacks if the reset endpoint is temporarily restricted.
- Rotate cloud keys and tokens – Revoke and reissue any API credentials or OAuth tokens the gateway uses to communicate with cloud services.
- Enable monitoring and alerting – Configure IDS/IPS rules to detect anomalous POST requests targeting password reset URIs. Log all admin logins and configuration changes, and trigger alerts on any password reset events.
- Prepare for replacement – If Daikin confirms in writing that no patch will ever be released, budget for and schedule a swap-out of the gateway with an alternative that receives regular security updates.
How to Test for Exposure Safely
Operators should never run active exploits against production devices. Instead, verify vulnerability passively:
- Check firmware and application version via the device UI or CLI. If it matches App:100/Frm:214, assume exploitability.
- Attempt to browse to the password reset endpoint from a controlled, logged host. If the page is accessible, the device is at risk.
- For definitive validation, test on an offline mirror or lab replica only, following organizational change-control policies.
Broader Implications for IoT and OT Security
Pre-authentication credential reset flaws are a recurring plague in embedded devices. Manufacturers often race to add cloud connectivity without implementing fundamental authorization checks. When a vendor refuses to patch, the burden falls entirely on asset owners—many of whom lack the resources to implement advanced network micro-segmentation or replace hardware at scale.
This incident also underscores the criticality of asset visibility. Most organizations cannot protect what they don’t know they have. A complete, up-to-date inventory of all OT and IoT devices is a prerequisite for any effective defense.
Incident Response Playbook
If compromise is suspected:
- Contain: Immediately disconnect the gateway from all networks and block its MAC addresses at switch ports.
- Preserve: Capture volatile data, logs, and forensic images before powering down.
- Analyze: Look for new admin accounts, altered configurations, or outbound connections to unknown IPs.
- Eradicate: Wipe the device and restore firmware from a known-good image, or replace it. Rotate all credentials and tokens.
- Recover: Bring the device back online only after hardening network access controls and confirming no persistent foothold remains.
- Report: Notify CISA if the incident affects critical infrastructure, as well as any applicable regulatory bodies.
The Bottom Line
CVE-2025-10127 represents a perfect storm for energy and building operators: a critical, easily exploitable vulnerability with public PoC and a vendor decision not to provide a fix. Security teams must act now to inventory devices, lock down network access, and prepare remediation roadmaps. The window between public exploit release and active attacks is shrinking, and passive acceptance is not an option.