CVE-2025-1242

CRITICAL

Gardyn IoT Hub - Info Disclosure

Title source: llm

Description

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.

Exploits (2)

nomisec WRITEUP

by MichaelAdamGroberman · poc

https://github.com/MichaelAdamGroberman/ICSA-26-055-03

View Code ZIP pw:eip

nomisec WRITEUP

by MichaelAdamGroberman · poc

https://github.com/MichaelAdamGroberman/CVE-2025-1242

View Code ZIP pw:eip

References (3)

[Third Party Advisory] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json

View Writeup ZIP pw:eip

[Various Sources] https://mygardyn.com/security/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

Scores

CVSS v3 9.1

EPSS 0.0004

EPSS Percentile 10.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Classification

CWE

CWE-798

Status draft

Timeline

Published Feb 25, 2026

Tracked Since Feb 25, 2026