Description

A vulnerability was identified in AC Smart II v2.1.9 (Rev.2251) that allows an administrator password reset without authentication or proper privilege checks.

During testing, it was observed that the page contains a hidden HTML element:

<div id="div_admin_pwd" style="position:absolute;top:180px;left:50%;width:411px;height:228px;margin:0 0 0 -235px;z-index:1; visibility: hidden;">

By removing the visibility: hidden property, the administrator password reset form becomes visible in the browser. Submitting this form is processed by the system without any session validation or authorization checks, enabling an unauthenticated attacker to modify administrative credentials and gain full control over the device.

The vendor confirmed the vulnerability but stated that AC Smart II v2.1.9 (Rev.2251) has been discontinued for over 10 years and is no longer supported with updates. As a result, no security patch will be provided.

Impact

• Complete compromise of the administrative account
• Disrupt critical operations (e.g., data centers, hospitals)
• Increase energy consumption and operational costs
• Cause discomfort or health risks to occupants

Affected Product

• AC Smart II v2.1.9 (Rev.2251) – End-of-Life (EOL), unsupported for over 10 years

Classification

• CWE-284 – Improper Access Control
• CWE-862 – Missing Authorization
• CAPEC-233 – Privilege Escalation

Remediation

I contacted the manufacturer, and they informed me that this version is over 10 years old and has reached its end of life. Therefore, it no longer receives updates. The recommended action is to remove access to this asset or prevent unauthorized hosts from accessing it.