CVE-2025-1242

CRITICAL

Gardyn IoT Hub - Info Disclosure

Title source: llm

Description

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.

Exploits (2)

nomisec WRITEUP

by MichaelAdamGroberman · poc

https://github.com/MichaelAdamGroberman/CVE-2025-1242

View Code ZIP pw:eip

nomisec WRITEUP

by MichaelAdamGroberman · poc

https://github.com/MichaelAdamGroberman/ICSA-26-055-03

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json

View Writeup ZIP pw:eip

[Various Sources] https://mygardyn.com/security/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

Scores

CVSS v3 9.1

EPSS 0.0004

EPSS Percentile 12.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-798

Status published

Products (3)

Gardyn/Home Kit < master.619

Gardyn/Home Kit Cloud API < 2.12.2026

Gardyn/Home Kit Mobile Application < 2.11.0

Published Feb 25, 2026

Tracked Since Feb 25, 2026