CVE-2025-52352
Aikaan · IoT management platform
Aikaan IoT management platform fails to properly restrict user sign-ups, allowing registration even when the UI option is hidden.
Executive summary
The Aikaan IoT management platform contains a critical authentication bypass vulnerability that allows unauthorized users to register accounts, potentially leading to full system compromise.
Vulnerability
This vulnerability involves a failure in the application's configuration logic where the "disable user sign-up" setting only hides the UI element rather than disabling the underlying API endpoint. An unauthenticated attacker can circumvent this UI-level restriction to create unauthorized accounts.
Business impact
The ability for unauthorized actors to register accounts on an IoT management platform presents a severe risk of unauthorized access to managed devices and sensitive telemetry data. Given the CVSS score of 9.8, this vulnerability is classified as critical, as it facilitates initial access that could lead to full platform compromise and lateral movement within the IoT infrastructure.
Remediation
Immediate Action: Update the Aikaan IoT management platform to the latest version provided by the vendor to ensure the sign-up API is correctly restricted.
Proactive Monitoring: Review user account creation logs for any suspicious or unauthorized registrations occurring since the last audit.
Compensating Controls: Implement network-level access controls to restrict access to the registration endpoint to authorized IP ranges only.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability represents a significant security oversight that exposes the management platform to unauthorized access. Administrators must prioritize updating the platform immediately to close the registration loophole and prevent unauthorized account creation.