The Cybersecurity and Infrastructure Security Agency (CISA) has issued a security advisory about a critical flaw in Daikin Security Gateway devices that could allow attackers to bypass authentication and gain full system access. The vulnerability, tracked as CVE-2025-10127, has been assigned a CVSS v3.1 score of 9.8, placing it in the “critical” severity category.
According to CISA, “Daikin Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attacker could access the system without prior credentials.”
This issue is categorized as a weak password recovery mechanism for forgotten password (CWE-640). In practice, it means attackers can manipulate the recovery process to gain unauthorized access, completely undermining the device’s authentication system. The affected version is Daikin Security Gateway: App 100, Frm 214.
CISA notes that a public Proof of Concept (PoC) for the flaw already exists. However, Daikin has stated it will not be releasing a patch for this vulnerability. Instead, the company says it will respond directly to user inquiries. This means organizations relying on these devices will need to take mitigation measures themselves.
As of now, there have been no reports of active exploitation in the wild. Still, the presence of a publicly available PoC raises the likelihood that threat actors could begin targeting exposed systems in the near future.
CISA strongly urges users to take steps to reduce exposure:
- Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolating them from business networks.
- When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available.
