OTPulse
FeedAboutContact

Daikin Holdings Singapore

Act Now9.8ICS-CERT ICSA-22-284-02Oct 11, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Daikin SVMPC1 (versions 2.1.22 and earlier) and SVMPC2 (versions 1.2.3 and earlier) controllers contain hardcoded credentials and improper access control that allow unauthenticated remote attackers to gain full system control or read sensitive configuration data. Daikin has released an automatic update for internet-connected controllers. Devices with internet access disabled should have that setting enabled to receive the patch. No public exploits currently exist.

What this means
What could happen
An attacker who reaches the SVM controller remotely could run arbitrary commands on the device, disabling or altering HVAC control logic or stealing sensitive building automation data. This could affect temperature, humidity, and energy management across connected zones.
Who's at risk
Building automation operators using Daikin SVMPC1 or SVMPC2 controllers should be concerned. These devices manage HVAC and energy systems in commercial buildings, offices, and facilities. Any organization with networked Daikin SVM controllers is at risk if the device is reachable from untrusted networks.
How it could be exploited
An attacker on the network can send crafted requests directly to the SVMPC1 or SVMPC2 controller without credentials. The device processes the request with full privileges, allowing the attacker to inject commands or read protected configuration and operational data.
Prerequisites
  • Network access to the SVM controller on its management port
  • No credentials required
  • Controller must be reachable from the attacker's network location
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for versions in fieldAffects facility control systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
SVMPC1, SVMPC2 - SVMPC1:≤ 2.1.22No fix (EOL)
SVMPC1, SVMPC2 - SVMPC2:≤ 1.2.3No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/3
HOTFIXEnable internet access on the SVM controller so it automatically downloads and installs the security update from Daikin
HARDENINGPlace the SVM controller on a network segment isolated from the Internet and business networks using firewalls
HARDENINGRestrict network access to the SVM controller management ports to only authorized engineering workstations and control networks using firewall rules
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDIf remote access to the SVM controller is required, route traffic through a VPN and keep the VPN client and connected devices up to date
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/2b85fdff-3fac-4a38-a615-618060fe6b8e
Daikin Holdings Singapore | CVSS 9.8 - OTPulse