Samsung HVAC DMS

Plan PatchCVSS 8.3ICS-CERT ICSA-25-210-02Jul 29, 2025

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Samsung HVAC DMS contains multiple vulnerabilities (CWE-698, CWE-502, CWE-36, CWE-22, CWE-23) that allow unauthenticated remote code execution. Affected versions: 2.0.0 through 2.3.12.x, 2.5.0.17 through 2.6.13.x, and 2.7.0.15 through 2.9.3.4. The product is designed for isolated dedicated networks only and is not intended for Internet connectivity.

What this means

What could happen

An unauthenticated attacker with network access to the DMS could execute arbitrary commands and take control of HVAC systems, potentially disrupting building climate control, occupancy comfort, and facility operations.

Who's at risk

Water utilities, municipal facilities, commercial buildings, hospitals, and data centers operating Samsung HVAC DMS systems for climate control management. Affects all building HVAC operations that depend on the DMS for system control and monitoring.

How it could be exploited

An attacker with network connectivity to the Samsung HVAC DMS system could send a specially crafted network request exploiting the remote code execution vulnerabilities to execute arbitrary commands on the device without providing credentials.

Prerequisites

Network access to the Samsung HVAC DMS system (direct or through compromised internal network)
System running an affected version (2.0.0–2.3.12.x, 2.5.0.17–2.6.13.x, or 2.7.0.15–2.9.3.4)
No authentication required

remotely exploitableno authentication requiredhigh impact on operationsno patch availableaffects critical building systems

Exploitability

Some exploitation risk — EPSS score 1.0%

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Samsung HVAC DMS: >=2.0.0|<2.3.13.0≥ 2.0.0|<2.3.13.0No fix (EOL)

Samsung HVAC DMS: >=2.5.0.17|<2.6.14.0≥ 2.5.0.17|<2.6.14.0No fix (EOL)

Samsung HVAC DMS: >=2.7.0.15|<2.9.3.5≥ 2.7.0.15|<2.9.3.5No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImmediately disconnect Samsung HVAC DMS systems from the Internet if currently connected

WORKAROUNDImplement firewall rules to block any network access to HVAC DMS systems from untrusted networks and the Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXContact Samsung call center or authorized installer to request and deploy available software updates

HARDENINGIsolate HVAC DMS systems on a dedicated, physically separate network with no connectivity to business networks

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: Samsung HVAC DMS: >=2.0.0|<2.3.13.0, Samsung HVAC DMS: >=2.5.0.17|<2.6.14.0, Samsung HVAC DMS: >=2.7.0.15|<2.9.3.5. Apply the following compensating controls:

HARDENINGIf remote access to HVAC DMS is required for maintenance, use VPN with current security updates and restrict access to authorized personnel only

CVEs (6)

CVE-2025-53077 CVE-2025-53078 CVE-2025-53079 CVE-2025-53080 CVE-2025-53081 CVE-2025-53082

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3f15a7a8-55aa-4ad4-ae3d-ce5be3b9a309

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.