cbcvebase.
CVE-2025-29631
published 2025-07-25

CVE-2025-29631: Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through…

PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.81%
75.9th percentile
Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through vulnerable methods that do not sanitize input before passing content to the operating system for execution. The vulnerability may allow an attacker to execute arbitrary operating system commands on a target Home Kit.

Affected

1 ranges
VendorProductVersion rangeFixed in
gardynhome_kit_firmware< master.619master.619

Detection & IOCsextracted from sources · hover to see the quote

  • Detect OS command injection attempts targeting Gardyn Home Kit — monitor for unsanitized input being passed to OS execution methods via the Cloud API or firmware interfaces
  • Alert on unauthenticated network requests (no credentials required, CVSS PR:N) to Gardyn Home Kit Cloud API endpoints that may carry shell metacharacters or command injection payloads
  • Flag Gardyn Home Kit devices running firmware versions earlier than master.619 as unpatched and at risk of command injection exploitation
  • Monitor for arbitrary OS command execution on Gardyn Home Kit edge devices, which may indicate successful exploitation of CVE-2025-29631
  • Correlate CVE-2025-29631 exploitation attempts with CVE-2025-29629 (weak default SSH credentials) and CVE-2025-1242 (hard-coded credentials) — chained exploitation could allow full device takeover and lateral movement to other edge devices in the Gardyn cloud environment
  • ·CVE-2025-29631 affects three distinct attack surfaces: the firmware (before master.619), the mobile application (before 2.11.0), and the Cloud API (before 2.12.2026) — detection coverage must account for all three vectors
  • ·As of the advisory date, Gardyn had not yet released a full mitigation for CVE-2025-29631 — firmware upgrade to master.619 is recommended but may not fully remediate the vulnerability
  • ·The vulnerability is unauthenticated (CVSS PR:N), meaning no prior credential compromise is required for exploitation — network-level access controls are the primary compensating control until a full patch is available
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.