CVE-2025-1242
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Gardyn | Home Kit | 0 < master.619 | affected |
| Gardyn | Home Kit Mobile Application | 0 < 2.11.0 | affected |
| Gardyn | Home Kit Cloud API | 0 < 2.12.2026 | affected |
Weaknesses
- CWE-798: CWE-798 Use of Hard-coded Credentials
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://mygardyn.com/security/
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.