CVE-2025-10681

HIGH

Gardyn Mobile Application and Device Firmware Use Hard-coded Credentials

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10681. PoCs published by MichaelAdamGroberman.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2025-10681, a hardcoded Azure Blob Storage account key vulnerability in Gardyn devices and mobile applications. It includes root cause analysis, credential locations, impact assessment, and remediation recommendations.

Description

Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.

Exploits (1)

nomisec WRITEUP 1 stars
by MichaelAdamGroberman · poc
https://github.com/MichaelAdamGroberman/CVE-2025-10681

This repository provides a detailed technical analysis of CVE-2025-10681, a hardcoded Azure Blob Storage account key vulnerability in Gardyn devices and mobile applications. It includes root cause analysis, credential locations, impact assessment, and remediation recommendations.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Gardyn Home Kit 1.0-4.0, Gardyn Studio 1.0-2.0
No auth needed
Prerequisites: Access to the hardcoded Azure Blob Storage account key
devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.6
EPSS 0.0027
EPSS Percentile 19.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-798
Status published
Products (2)
Gardyn/Cloud API < 2.12.2026
Gardyn/Mobile Application < 2.11.0
Published Apr 03, 2026
Tracked Since Apr 04, 2026