CVE-2025-29628
published 2025-07-25CVE-2025-29628: A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile…
PriorityP353critical9.4CVSS 3.1
AVNACLPRNUINSUCHIHAL
EPSS
0.27%
18.6th percentile
A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 leaving the string vulnerable to interception and modification through a Man-in-the-Middle attack. This may result in the attacker capturing device credentials or taking control of vulnerable home kits.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gardyn | home_kit_firmware | < master.619 | master.619 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Gardyn Home Kit
cisa_ics·2026-02-24·CVSS 9.1
[CRITICAL] Gardyn Home Kit
ICS Advisory
##
Gardyn Home Kit
Release DateFebruary 24, 2026
Alert CodeICSA-26-055-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment.
The following versions of Gardyn Home Kit are affected:
- Home Kit Firmware
- Gardyn Home Kit Mobile Application <2.11.0 (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631, CVE-2025-1242)
- Gardyn Home Kit Cloud API <2.12.2026 (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631, CVE-2025-1242)
CVSS
Vendor
Equipm
GHSA
GHSA-82xm-jwxq-4436: An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request
ghsa_unreviewed·2025-07-25
CVE-2025-29628 [HIGH] CWE-77 GHSA-82xm-jwxq-4436: An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request
An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-25
Published