CVE-2025-52352

Aikaan · IoT management platform

Aikaan IoT management platform fails to properly restrict user sign-ups, allowing registration even when the UI option is hidden.

Executive summary

The Aikaan IoT management platform contains a critical authentication bypass vulnerability that allows unauthorized users to register accounts, potentially leading to full system compromise.

Vulnerability

This vulnerability involves a failure in the application's configuration logic where the "disable user sign-up" setting only hides the UI element rather than disabling the underlying API endpoint. An unauthenticated attacker can circumvent this UI-level restriction to create unauthorized accounts.

Business impact

The ability for unauthorized actors to register accounts on an IoT management platform presents a severe risk of unauthorized access to managed devices and sensitive telemetry data. Given the CVSS score of 9.8, this vulnerability is classified as critical, as it facilitates initial access that could lead to full platform compromise and lateral movement within the IoT infrastructure.

Remediation

Immediate Action: Update the Aikaan IoT management platform to the latest version provided by the vendor to ensure the sign-up API is correctly restricted.

Proactive Monitoring: Review user account creation logs for any suspicious or unauthorized registrations occurring since the last audit.

Compensating Controls: Implement network-level access controls to restrict access to the registration endpoint to authorized IP ranges only.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability represents a significant security oversight that exposes the management platform to unauthorized access. Administrators must prioritize updating the platform immediately to close the registration loophole and prevent unauthorized account creation.