CVE-2025-10681
Hardcoded Azure Blob Storage Account Key
| CVE | CVE-2025-10681 |
|---|---|
| Severity | High (8.6) |
| Weakness (CWE) | CWE-798: Use of Hard-coded Credentials |
| Affected components | Cloud API <2.12.2026; Mobile App <2.11.0; Firmware <master.622 |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0 |
| Sector | Food and Agriculture (CISA classification) |
| Status per CISA Update A | Remediated |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
What is documented
Per the researcher’s coordinated-disclosure repository, an Azure Blob Storage account key was hardcoded in the Gardyn mobile application and device firmware.
Primary sources
- CISA ICSA-26-055-03 (Update A)
- NVD: CVE-2025-10681
- MITRE CVE Record: CVE-2025-10681
- Disclosure repository
- Per-CVE researcher repository
Mitigation per CISA Update A
Per CISA Update A (April 2, 2026), this CVE is remediated. The fix versions stated by CISA are: Gardyn mobile application 2.11.0 or later; Gardyn cloud API 2.12.2026 or later; Home Kit firmware master.622 or later. See the CISA advisory and the how to update page.