CVE-2025-10681 - Vulnerability Details

- Gardyn Mobile Application and Device Firmware Use Hard-coded Credentials

Description

Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.

Published: 2026-04-03

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Hard‑coded credentials embedded in the Gardyn mobile application and Home device firmware create a weakness that permits unauthorized authentication to Gardyn services, enabling attackers to access production storage containers. Because the credentials do not limit permissions, are not tied to a specific user, and lack an expiration policy, they expose the system to potential data theft, tampering, or service disruption.

Affected Systems

The flaw impacts Gardyn’s Cloud API, the Gardyn mobile application, and the firmware of Gardyn Home devices. Users are advised to upgrade to the latest mobile app version and to apply firmware version master.622 or newer on all home kits and studio devices.

Risk and Exploitability

With a CVSS score of 8.8, the vulnerability is rated high severity. The EPSS score is not provided and the issue is not listed in CISA’s KEV catalog, but the persistent, non‑expiring credentials increase long‑term risk. Based on the description, it is inferred that attackers could extract the credentials from the mobile app or firmware and use them remotely to reach storage containers, provided the device maintains network connectivity. The official workaround is to upgrade the software; failure to do so keeps systems exposed to unauthorized access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Gardyn

Mobile Application

unaffected

Version	Status	Constraints
`0`	affected	< 2.11.0

Gardyn

Cloud API

unaffected

Version	Status	Constraints
`0`	affected	< 2.12.2026

No data.

Vendor Product Confidence Versions

Gardyn

Cloud Api

100%

Version	Status	Scheme	Platform
`[0,2.12.2026)`	affected	generic	—

Gardyn

Mobile Application

100%

Version	Status	Scheme	Platform
`[0,2.11.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Workaround

Gardyn states that the relevant fixes are included in the latest version of the Gardyn mobile application. Users are required to run a supported version of the Gardyn App on their phone in order to access Gardyn services and devices. The current versions of the Gardyn App and the Gardyn Home firmware can be checked in the Gardyn App. For all vulnerabilities, Gardyn recommends users ensure their home kit and studio devices are upgraded to firmware master.622 or later. Gardyn also recommends that users update their mobile application to the most recent version. Gardyn requests that users ensure their devices have network connectivity in order to automatically download needed firmware updates. Unconnected devices will automatically update when configured with a working Internet connection.

OpenCVE Recommended Actions

Upgrade the Gardyn mobile application to the most recent version.
Upgrade all Gardyn Home devices to firmware master.622 or later.

Generated by OpenCVE AI on April 3, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json
https://mygardyn.com/security/
https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gardyn Gardyn cloud Api Gardyn mobile Application
Vendors & Products		Gardyn Gardyn cloud Api Gardyn mobile Application

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 03 Apr 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.
Title		Gardyn Mobile Application and Device Firmware Use Hard-coded Credentials
Weaknesses		CWE-798
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json https://mygardyn.com/security/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L'}` cvssV4_0 `{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}`

Subscriptions

Gardyn Cloud Api Mobile Application

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-04-03T20:26:12.913Z

Updated: 2026-04-06T14:39:20.062Z

Reserved: 2025-09-18T11:58:39.111Z

Link: CVE-2025-10681

Vulnrichment

Updated: 2026-04-06T14:39:01.903Z

NVD

Status : Awaiting Analysis

Published: 2026-04-03T21:17:08.630

Modified: 2026-04-07T13:20:55.200

Link: CVE-2025-10681

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T22:22:20Z

Weaknesses

CWE-798

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object