CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03
CISA ICS Advisory: ICSA-26-055-03 CERT/CC: VU#653116 Researcher: Michael Groberman — Gr0m Contact: michael@groberman.tech · LinkedIn Published: 2026-02-24 | Updated: 2026-04-02 (Update A)
Update A (2026-04-02): Added vulnerabilities (CVE-2025-10681, CVE-2026-28766, CVE-2026-25197, CVE-2026-32646, CVE-2026-28767, CVE-2026-32662). Modified mitigations as recommended by Gardyn. Associated affected products with relevant vulnerabilities. Updated product version numbers.
Additional findings beyond this advisory are pending coordinated disclosure.
- 10 CVEs (4 Critical, 4 High, 2 Medium) across firmware, mobile app, and cloud API
- 134,215 user records — described by CISA as "all user account information" — were exposed without authentication for 6+ years, including names, emails, phone numbers, and partial credit card numbers (CVE-2026-28766). Gardyn's public statement that "these vulnerabilities did not expose financial or credit card information" is contradicted by the
last_fourfield in the API response, which returned populated partial card numbers for paying subscribers - Unauthenticated remote root on any device in the fleet via hardcoded IoT Hub admin credential + command injection (CVE-2025-1242 + CVE-2025-29631)
- 138,160+ registered IoT devices affected across Gardyn Home Kit and Studio product lines
- The IoT Hub admin credential was exposed for 6+ years (since ~May 2019) and was reused after a hub migration, meaning prior captures still grant access
- Administrative API endpoints (
/api/admin/*) deployed without any authentication (CVE-2026-32646, CVE-2026-28767) - Development endpoints in production historically returned production credentials without auth (CVE-2026-32662)
- No access logging existed on affected endpoints -- the vendor confirmed that the scope of unauthorized access during the 6+ year exposure window cannot be determined
- Gardyn's public statement that they have "no evidence that these vulnerabilities were exploited" is not meaningful without the ability to detect exploitation -- the vendor confirmed no access logging existed on the affected endpoints, so absence of evidence is not evidence of absence
- Vendor remediation: upgrade firmware to master.622+, mobile app to 2.11.0+, cloud API to 2.12.2026+
Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment.
| CVE | Severity | CWE | Title |
|---|---|---|---|
| CVE-2026-28766 (Repo · CVE Record) | 9.3 Critical | CWE-306 | Missing Authentication -- User Account Endpoint |
| CVE-2025-1242 (Repo · CVE Record) | 9.1 Critical | CWE-798 | Use of Hard-coded Credentials |
| CVE-2025-29631 (CVE Record) | 9.1 Critical | CWE-78 | OS Command Injection |
| CVE-2026-25197 (Repo · CVE Record) | 9.1 Critical | CWE-639 | Authorization Bypass via User-Controlled Key (IDOR) |
| CVE-2025-10681 (Repo · CVE Record) | 8.6 High | CWE-798 | Hardcoded Azure Blob Storage Account Key |
| CVE-2025-29628 (CVE Record) | 8.3 High | CWE-319 | Cleartext Transmission of Sensitive Information |
| CVE-2025-29629 (CVE Record) | 8.3 High | CWE-1392 | Use of Default Credentials |
| CVE-2026-32646 (Repo · CVE Record) | 7.5 High | CWE-306 | Missing Authentication -- Admin Device Management |
| CVE-2026-28767 (Repo · CVE Record) | 5.3 Medium | CWE-306 | Missing Authentication -- Admin Notifications |
| CVE-2026-32662 (Repo · CVE Record) | 5.3 Medium | CWE-489 | Active Debug Code in Production |
Vendor: Gardyn Product: Gardyn Home Kit (Models 1.0, 2.0, 3.0, 4.0), Gardyn Studio (Models 1.0, 2.0) Sector: Food and Agriculture Registered Devices: 138,160+
| Component | Vulnerable Versions | Applicable CVEs |
|---|---|---|
| Firmware | < master.622 | CVE-2025-1242, CVE-2025-10681, CVE-2025-29628, CVE-2025-29629, CVE-2025-29631 |
| Mobile Application | < 2.11.0 | CVE-2025-1242, CVE-2025-10681, CVE-2025-29628 |
| Cloud API | < 2.12.2026 | CVE-2025-1242, CVE-2025-10681, CVE-2026-28766, CVE-2026-25197, CVE-2026-32646, CVE-2026-28767, CVE-2026-32662 |
Chain 1 -- Unauthenticated Remote Root (any device)
CVE-2025-1242 (hardcoded iothubowner credential) + CVE-2025-29631 (command injection in upgrade()) = unauthenticated remote root on any device in the fleet (~138,160 registered devices).
Chain 2 -- Mass PII Exposure (all users)
CVE-2026-28766 (unauthenticated /api/users endpoint — no authentication chain required) + CVE-2026-25197 (IDOR via /api/user/{id} — sequential integer IDs, any valid ID returns that user's data) = full PII exposure for 134,215 users including names, emails, phone numbers, and partial payment card data. The IDOR is a direct consequence of the API design: no authorization checks, sequential IDs, every endpoint returns any requested record.
CVE-2025-29628, CVE-2025-29629, and CVE-2025-29631 were originally discovered and disclosed by mselbrede in February 2025, with technical details and proof-of-concept published in July 2025. This advisory builds on that prior CVE work.
mselbrede's published research includes vulnerable source code, default credentials, and a proof-of-concept for device takeover via Man-in-the-Middle attack. Technical details for the overlapping CVEs are available in their repository.
| Date | Revision | Changes |
|---|---|---|
| 2026-02-24 | Initial Publication | CVE-2025-1242, CVE-2025-10681, CVE-2025-29628, CVE-2025-29629, CVE-2025-29631 |
| 2026-04-02 | Update A | Added vulnerabilities (CVE-2025-10681, CVE-2026-28766, CVE-2026-25197, CVE-2026-32646, CVE-2026-28767, CVE-2026-32662). Modified mitigations as recommended by Gardyn. Associated affected products with relevant vulnerabilities. Updated product version numbers. |
- CISA Advisory ICSA-26-055-03
- CSAF JSON
- CERT/CC VU#653116
- Gardyn Security Update