1. EXECUTIVE SUMMARY
- CVSS v4 8.8
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Daikin
- Equipment: Security Gateway
- Vulnerability: Weak Password Recovery Mechanism for Forgotten Password
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Daikin Security Gateway are affected:
- Security Gateway: App: 100, Frm: 214
3.2 VULNERABILITY OVERVIEW
3.2.1 WEAK PASSWORD RECOVERY MECHANISM FOR FORGOTTEN PASSWORD CWE-640
Daikin Security Gateway is vulnerable to an authorization bypass through a user-controlled key vulnerability that could allow an attacker to bypass authentication. An unauthorized attacker could access the system without prior credentials.
CVE-2025-10127 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-10127. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:L).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION:[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: