Share
## https://sploitus.com/exploit?id=A20F10E8-717B-5B82-8E8A-2C085DD2F082
# ICSA-26-055-03 โ Gardyn Home Kit IoT Vulnerabilities
CISA ICS Advisory: [ICSA-26-055-03](https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03)
CERT/CC: [VU#653116](https://kb.cert.org/vuls/id/653116)
Researcher: Michael Groberman
Published: 2026-02-24
## CVEs
| CVE | Severity | CWE | Title |
|-----|----------|-----|-------|
| [CVE-2025-1242](CVE-2025-1242.md) | 9.1 Critical | CWE-798 | Exposure of Administrative IoT Hub Credentials |
| [CVE-2025-29628](CVE-2025-29628.md) | 8.3 High | CWE-319 | Cleartext Transmission of IoT Hub Credentials |
| [CVE-2025-29629](CVE-2025-29629.md) | 8.3 High | CWE-1392 | Use of Default Credentials |
| [CVE-2025-29631](CVE-2025-29631.md) | 9.1 Critical | CWE-78 | OS Command Injection via `upgrade()` Direct Method |
## Affected Product
**Vendor:** Gardyn
**Product:** Gardyn Home Kit (Models 1.0, 2.0, 3.0)
**Sector:** Food and Agriculture
| Component | Vulnerable Versions |
|-----------|-------------------|
| Firmware | < master.619 |
| Mobile Application | < 2.11.0 |
| Cloud API | < 2.12.2026 |
## Attack Chain
CVE-2025-1242 (hardcoded `iothubowner` credential) + CVE-2025-29631 (command injection in `upgrade()`) = unauthenticated remote root on any device in the fleet (~130,000 devices).
## References
- [CISA Advisory ICSA-26-055-03](https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03)
- [CSAF JSON](https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2026/icsa-26-055-03.json)
- [CERT/CC VU#653116](https://kb.cert.org/vuls/id/653116)