CVE-2025-29628

CRITICAL

Gardyn Home Kit Firmware < master.619 - Exposure of Sensitive Information via Insecure HTTP Connection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-29628. PoCs published by mselbrede, kristof-mattei.

AI-analyzed exploit summary This repository provides a detailed technical analysis of multiple vulnerabilities in the Gardyn Home 4.0 device, including insecure Azure IoTHub connection string transmission (CVE-2025-29628), weak default credentials (CVE-2025-29629), and an SSH key backdoor (CVE-2025-29630). The writeup includes root cause analysis, code snippets, and steps to reproduce the vulnerabilities.

Description

A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 leaving the string vulnerable to interception and modification through a Man-in-the-Middle attack. This may result in the attacker capturing device credentials or taking control of vulnerable home kits.

Exploits (2)

nomisec WRITEUP

by mselbrede · poc

https://github.com/mselbrede/gardyn

View Code ZIP pw:eip

This repository provides a detailed technical analysis of multiple vulnerabilities in the Gardyn Home 4.0 device, including insecure Azure IoTHub connection string transmission (CVE-2025-29628), weak default credentials (CVE-2025-29629), and an SSH key backdoor (CVE-2025-29630). The writeup includes root cause analysis, code snippets, and steps to reproduce the vulnerabilities.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Gardyn Home 4.0 device

No auth needed

Prerequisites: Access to the local network or ability to perform MITM attacks · Azure IoTHub account for exploitation

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 27, 2026 Full analysis →

nomisec WRITEUP

by kristof-mattei · poc

https://github.com/kristof-mattei/gardyn-hack

View Code ZIP pw:eip

This repository documents multiple vulnerabilities in the Gardyn Home 4.0 device, including weak default credentials, an SSH key backdoor, full device takeover, and command injection. The writeup details the disclosure timeline and current status of each CVE, indicating that some vulnerabilities remain unpatched.

Classification

Writeup 90%

Attack Type

Other

Complexity

Moderate

Reliability

Theoretical

Target: Gardyn Home 4.0

No auth needed

Prerequisites: Access to the Gardyn device · Network access to the device

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Various Sources

http://gardyn.com

Various Sources

https://github.com/mselbrede/gardyn/blob/main/CVE-2025-29628_CVE-2025-29631.md

View Writeup ZIP pw:eip

Various Sources

https://mygardyn.com/blog/security-update/

Third Party Advisory, US Government Resource

https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

Scores

CVSS v3 9.4

EPSS 0.0027

EPSS Percentile 18.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-200 CWE-77 CWE-924

Status published

Products (1)

Gardyn/Home Kit Firmware < master.619

Published Jul 25, 2025

Tracked Since Feb 18, 2026