CVE-2022-38355 in SVMPC1
Summary
by MITRE • 12/14/2022
Daikin SVMPC1 version 2.1.22 and prior and SVMPC2 version 1.2.3 and prior are vulnerable to attackers with access to the local area network (LAN) to disclose sensitive information stored by the affected product without requiring authentication.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/27/2026
The Daikin SVMPC1 and SVMPC2 devices represent industrial control systems that manage heating, ventilation, and air conditioning environments in commercial and industrial settings. These products operate within local area networks and handle sensitive operational data related to environmental controls, system configurations, and potentially proprietary business information. The vulnerability affects versions 2.1.22 and earlier for SVMPC1 and version 1.2.3 and earlier for SVMPC2, indicating a widespread exposure across multiple product generations. This weakness creates a significant security risk as it allows unauthorized network access to retrieve confidential data through unauthenticated network connections.
The technical flaw manifests as insufficient authentication mechanisms within the network communication protocols of these devices. Attackers can exploit this vulnerability by positioning themselves within the same local network segment as the affected equipment, leveraging the absence of proper access controls to extract sensitive information. The vulnerability falls under the category of information disclosure flaws that operate at the network protocol level, where the system fails to adequately validate connection requests before providing access to stored data. This represents a critical weakness in the device's security architecture that bypasses traditional authentication procedures.
The operational impact of this vulnerability extends beyond simple data exposure, as it compromises the integrity of industrial control systems that manage critical environmental conditions. An attacker gaining access to system configurations, operational parameters, or environmental data could potentially manipulate the HVAC systems to create unsafe conditions or disrupt business operations. The vulnerability creates a pathway for reconnaissance activities where adversaries can gather intelligence about system capabilities, network topology, and operational patterns that could be used for more sophisticated attacks. This exposure affects both the confidentiality and potentially the availability of services provided by these control systems.
Organizations should implement immediate network segmentation measures to isolate these devices from general network traffic and establish strict access controls for network segments containing industrial control equipment. The recommended mitigations include deploying network access control lists, implementing secure network protocols, and conducting regular vulnerability assessments of industrial control systems. Network administrators should also consider implementing intrusion detection systems specifically designed for industrial environments and establish monitoring procedures for unauthorized access attempts. This vulnerability aligns with CWE-284 which addresses inadequate access control mechanisms, and represents a significant concern for organizations operating within the industrial control systems domain as outlined in the ATT&CK framework's industrial control systems tactics.