Share
## https://sploitus.com/exploit?id=B89A0AF5-A6FC-5418-A9E6-871B526357E8
# CVE-2026-13768: Privileged IoT Hub Credential โ Fleet Enumeration, Device RCE, and Home-Network Pivot
## Advisory
| Field | Value |
|-------|-------|
| **CVE** | CVE-2026-13768 |
| **ICSA** | [ICSA-26-183-03](https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-03) (Gardyn IoT Hub) |
| **CVSS 3.1** | 10.0 (Critical) |
| **Vector (3.1)** | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L` |
| **Vector (4.0)** | `CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L` |
| **CWE** | CWE-798 (Use of Hard-coded Credentials) |
| **Researcher** | Michael Groberman |
| **Published** | 2026-07-02 |
| **Coordinated finding** | Gr0m-012 (IoT Hub fleet control) + Gr0m-013 (lateral network access) |
## Product
| Field | Value |
|-------|-------|
| Vendor | Gardyn |
| Product | Gardyn Home Kit, Gardyn Studio |
| Component | Azure IoT Hub control plane, Cloud API, device firmware |
| Affected Versions | Home Firmware ", # injection sink in upgrade()
"path": "/tmp/x", "services": []})
manager.invoke_device_method(device_id, method)
```
### Home-network pivot
Each device sits on the customer's home WiFi. Command execution on the device provides a foothold behind the home firewall, from which an attacker can scan the LAN and interact with other hosts (routers, NAS, cameras, smart locks, personal computers). The device is the pivot point; it is already inside the network. This is the Gr0m-013 lateral-movement condition.
## Mapping to coordinated findings
| Aspect | Detail |
|--------|--------|
| Gr0m-012 | IoT Hub fleet control โ enumeration, twin read/write, direct-method invocation, mass RCE potential |
| Gr0m-013 | Lateral network access โ device-as-pivot into 38,831+ home networks |
| Consolidation | CISA published both conditions under one CWE-798 CVE (both were classified CWE-798 in the VU#653116 tracking sheet) |
| Relationship to CVE-2025-1242 | 1242 (ICSA-26-055-03) = credential *exposure*; 13768 (ICSA-26-183-03) = credential *blast radius* (control plane + lateral). Distinct remediation surfaces |
| Scope | CISA applied Scope:Changed (S:C), yielding base 10.0 |
## Remediation
Per ICSA-26-183-03, Gardyn states the IoT Hub deployed infrastructure has been updated to address the listed vulnerabilities.
1. Rotate the `iothubowner` administrative credential (breaks initial access).
2. Issue least-privilege, per-device credentials; retire fleet-wide administrative keys from any client-reachable path.
3. Eliminate the `upgrade()` command-injection sink (CVE-2025-29631) to remove the RCE primitive.
4. Enforce command allowlisting for direct methods.
5. Enable IoT Hub access logging and anomaly alerting (the vendor stated to CISA that no access logging existed on the affected endpoints during the exposure window).
---
**Researcher:** Michael Groberman (Gr0m) ยท **Case:** CERT/CC VU#653116 ยท **Advisory:** ICSA-26-183-03