Hacking Hotels via Smart Stationary Bikes: How Unsecured Gym Equipment Can Lead to RCE

SpiderLabs performed a penetration test at a hospitality site and demonstrated how an IoT smart bike with an unauthenticated web browser and accessible network ports could be abused as an initial access vector. From the guest VLAN the testers enumerated internal resources (including PCI servers), exploited a path traversal issue, leveraged an open switch port to connect an attack machine, and ultimately achieved Oracle WebLogic authentication bypass and remote code execution; the report highlights inadequate switch port security and segmentation and recommends layered defenses for IoT assets.