A high-severity vulnerability has been discovered in the Lack AiKaan IoT Platform, identified as CVE-2025-57605. This flaw allows any authenticated user, regardless of their privilege level, to elevate their own permissions to become an administrator of other departments. Successful exploitation could lead to unauthorized access to sensitive data, manipulation of IoT device controls, and significant disruption to operations managed by the platform.

The vulnerability is a server-side authorization bypass within the department administrator assignment API. The application fails to verify if the user initiating a request to assign an admin role has the necessary permissions to do so. An authenticated, low-privileged attacker can craft a malicious API request, specifying their own user account and a target department ID, to grant themselves administrative privileges over that department without proper authorization.

This is a High severity vulnerability with a CVSS score of 8.8. Exploitation allows for horizontal and vertical privilege escalation, fundamentally breaking the platform's access control model. An attacker could gain administrative control over departments they do not belong to, leading to potential consequences such as unauthorized access to and exfiltration of sensitive IoT data, manipulation of critical device settings, service disruption, and a complete compromise of the platform's multi-tenant security architecture. This poses a significant risk to data confidentiality, integrity, and availability for all departments managed by the platform.

Immediate Action: Apply vendor security updates immediately. The vendor has released patches that correct the missing server-side authorization checks. After patching, review access logs for any unusual or unauthorized changes to administrative roles.

Proactive Monitoring: Monitor API logs for calls to the department admin assignment endpoints. Create alerts for any requests where the source user is not a super-administrator or an existing administrator of the target department. Regularly audit user account permissions and roles for any unexpected or unauthorized elevations.

Compensating Controls: If patching is not immediately possible, consider the following controls:

• Implement Web Application Firewall (WAF) rules to restrict access to the vulnerable API endpoints or to block requests that match a known exploitation pattern.
• Restrict network access to the platform's management interface to a minimal set of trusted IP addresses.
• Implement a frequent, automated audit of user permissions to detect and revert unauthorized changes in near-real-time.

Public Exploit Available: false

Given the High severity (CVSS 8.8) and the critical impact of a successful privilege escalation attack, immediate remediation is strongly recommended. Organizations must prioritize the deployment of the vendor-provided security updates to all affected instances of the AiKaan IoT Platform. Although this CVE is not currently on the CISA KEV list, its high impact and relative ease of exploitation for an authenticated user make it a critical threat. Following patching, a thorough audit of all department administrator roles should be conducted to ensure no prior compromise has occurred.