HackDefense Home
Jony Schats

Vulnerabilities in controller of refrigeration equipment

In this blogpost Stan Plasmeijer and Jony Schats will describe the vulnerabilities discovered in the AK-EM100 controller. This blogpost won’t include a proof of concept of the atttacks since there are still devices connected to the internet and the vulnerabilities discussed are of high risk. The AK-EM100 is a physical device and provides a web based graphical user interface of a store which allows a range of daily users to monitor data, alarms and reports, either locally or remotely, regarding all of their refrigeration equipment.

Together with DIVD we have disclosed the following five vulnerabilities:

Below is a brief description of each CVE and our recommendation.

CVE-2023 – 22583 SQL Injection

The login form of the device is vulnerable to a union based SQL injection. With this SQL injection it’s possible to retrieve information from the database, which will be returned in the location header of the response. By injecting a single quote a SQL error is shown:

Ak em 100 sql

CVE-2023 – 22584 Cleartext credentials

The database saves login information in cleartext (readable format). This means that the passwords of the users aren’t hashed. Hashing turns a users password into a short string of letters and/​or numbers using an encryption algorithm, hashing passwords is a best practice.

CVE-2023 – 22585 Unauthenticated Reflected Cross-Site Scripting

The login form of the AK-EM 100 reflects the username value when the login is invalid. It doesn’t sanitize the input, so if you input HTML or JavaScript it reflects this directly into the webpage. In the screenshot below we injected <h1>HackDefense</h1> into the username field.

Unauth reflected XSS

CVE-2023 – 22586 Local File Inclusion

The file parameters in the configuration pages are vulnerable for a Local File Inclusion vulnerability. This can be used to read system files.

CVE-2023 – 25911 OS Command Injection

Once authenticated it is possible to execute operating system commands from a webpage and take over the device. Once the device is taken over it is possible to pivot into the internal network the device is connected too. Due too the sensitivity of this vulnerability we won’t disclose specifics.


Our recommendation is to disconnect the AK-EM 100 from the internet or only allow specific IP-addresses to access the device. Danfoss their recommendation is to phase out the AK-EM 100.

Timeline of the DIVD case

DIVD Timeline
The most up to date versionof the timeline can be found at the DIVD Csirt website: https://​csirt​.divd​.nl/​c​a​s​e​s​/​D​I​V​D​-2023 – 00021/