CVE-2025-1242 - Vulnerability Details

- Administrative Credentials Can Be Extracted Through Gardyn API Responses

Description

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.

Published: 2026-02-25

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to retrieve administrative credentials through Gardyn API responses, or by reverse engineering the mobile application or device firmware. The weakness is a hard‑coded credential scenario, classified as CWE‑798. Discovery of these credentials grants an attacker full administrative access to the Gardyn IoT Hub, which in turn enables malicious control over all connected devices, posing significant confidentiality, integrity, and availability risks.

Affected Systems

The affected products include Gardyn Home Kit devices, Gardyn Home Kit Cloud API, and Gardyn Home Kit Mobile Application. All current firmware versions prior to the master.619 release and any mobile app releases older than the latest version are vulnerable.

Risk and Exploitability

The CVSS score of 9.3 indicates a severe impact. The EPSS score of less than 1% suggests the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via API requests or by reverse engineering the application or firmware, enabling an adversary to extract credentials without direct physical access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Gardyn

Home Kit

unaffected

Version	Status	Constraints
`0`	affected	< master.619

Gardyn

Home Kit Mobile Application

unaffected

Version	Status	Constraints
`0`	affected	< 2.11.0

Gardyn

Home Kit Cloud API

unaffected

Version	Status	Constraints
`0`	affected	< 2.12.2026

No data.

Vendor Product Confidence Versions

Gardyn

Home Kit

100%

Version	Status	Scheme	Platform
`[0,master.619)`	affected	generic	—

Gardyn

Home Kit Cloud Api

100%

Version	Status	Scheme	Platform
`[0,2.12.2026)`	affected	generic	['0']

Gardyn

Home Kit Mobile Application

100%

Version	Status	Scheme	Platform
`[0,2.11.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

For all vulnerabilities, Gardyn recommends users ensure their home kit devices are upgraded to firmware master.619 or later. Gardyn also recommends that users update their mobile application to the most recent version. Gardyn requests that users ensure their home kits have network connectivity in order to automatically download needed firmware updates. Unconnected devices will automatically update when configured with a working Internet connection.

OpenCVE Recommended Actions

Update all Home Kit devices to firmware master.619 or later
Upgrade the Gardyn mobile application to the most recent version
Ensure devices are connected to the Internet so they can automatically download and install updates

Generated by OpenCVE AI on May 1, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json
https://mygardyn.com/security/
https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

History

Thu, 26 Feb 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gardyn Gardyn home Kit Gardyn home Kit Cloud Api Gardyn home Kit Mobile Application
Vendors & Products		Gardyn Gardyn home Kit Gardyn home Kit Cloud Api Gardyn home Kit Mobile Application

Thu, 26 Feb 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 25 Feb 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.
Title		Administrative Credentials Can Be Extracted Through Gardyn API Responses
Weaknesses		CWE-798
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json https://mygardyn.com/security/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Gardyn Home Kit Home Kit Cloud Api Home Kit Mobile Application

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-02-25T15:21:48.369Z

Updated: 2026-04-22T17:54:24.634Z

Reserved: 2025-02-11T23:20:18.245Z

Link: CVE-2025-1242

Vulnrichment

Updated: 2026-02-25T20:30:40.616Z

NVD

Status : Deferred

Published: 2026-02-25T16:23:20.930

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-1242

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-01T06:00:13Z

Weaknesses

CWE-798

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object