Michael Groberman

7 exploits Active since Feb 2026
CVE-2025-10681 WRITEUP HIGH WRITEUP
Gardyn Mobile Application and Device Firmware Use Hard-coded Credentials
Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.
CVSS 8.6
CVE-2026-25197 WRITEUP CRITICAL WRITEUP
Gardyn Cloud API Authorization Bypass Through User-Controlled Key
A specific endpoint allows authenticated users to pivot to other user profiles by modifying the id number in the API call.
CVSS 9.1
CVE-2026-28766 WRITEUP CRITICAL WRITEUP
Gardyn Cloud API Missing Authentication for Critical Function
A specific endpoint exposes all user account information for registered Gardyn users without requiring authentication.
CVSS 9.3
CVE-2026-28767 WRITEUP MEDIUM WRITEUP
Gardyn Cloud API Missing Authentication for Critical Function
A specific administrative endpoint notifications is accessible without proper authentication.
CVSS 5.3
CVE-2026-32646 WRITEUP HIGH WRITEUP
Gardyn Cloud API Missing Authentication for Critical Function
A specific administrative endpoint is accessible without proper authentication, exposing device management functions.
CVSS 7.5
CVE-2026-32662 WRITEUP MEDIUM WRITEUP
Gardyn Cloud API Active Debug Code
Development and test API endpoints are present that mirror production functionality.
CVSS 5.3
CVE-2025-1242 WRITEUP CRITICAL WRITEUP
Gardyn Home Kit - Use of Hard-coded Credentials
The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.
CVSS 9.1