cbcvebase.
CVE-2025-1242
published 2026-02-25

CVE-2025-1242: The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse…

PriorityP264critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.44%
35.0th percentile
The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.

Affected

3 ranges
VendorProductVersion rangeFixed in
gardynhome_kit< master.619master.619
gardynhome_kit_cloud_api< 2.12.20262.12.2026
gardynhome_kit_mobile_application< 2.11.02.11.0

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor API responses from the Gardyn Cloud API for leakage of administrative credentials or IoT Hub connection strings in plaintext — CVE-2025-1242 allows credential extraction via application API responses
  • Alert on HTTP (non-TLS) traffic carrying Azure IoT Hub connection strings — CVE-2025-29628 downloads the connection string over insecure HTTP, making it interceptable via MitM
  • Detect SSH login attempts to Gardyn Home Kit devices using default/weak credentials — CVE-2025-29629 documents weak default SSH credentials on the device
  • Monitor for OS command injection patterns in input fields passed to Gardyn Home Kit methods — CVE-2025-29631 allows arbitrary OS command execution due to unsanitized input
  • Flag Gardyn Home Kit devices running firmware versions older than master.619 and mobile app versions older than 2.11.0 as unpatched and exposed to all four CVEs
  • ·CVE-2025-1242 involves hard-coded credentials (CWE-798) embedded in the Gardyn IoT Hub; these credentials are extractable from API responses, the mobile app, and device firmware — no single patch fully mitigates exposure until all three surfaces are updated
  • ·CVE-2025-29631 (OS command injection) does not yet have a full mitigation from the vendor — Gardyn is still working on a complete fix; firmware master.619 is a partial measure only
  • ·Devices without network connectivity will NOT automatically receive firmware updates and remain vulnerable until manually connected to the Internet

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.