← All CVEs in ICSA-26-055-03

CVE-2025-1242

Use of Hard-coded Credentials (Azure IoT Hub)

What is documented

Per the maintainer’s coordinated-disclosure repository, the Azure IoT Hub administrative credential (the iothubowner shared access policy) was reachable through unauthenticated API responses, the mobile application bundle, and device firmware. Per the maintainer’s repository, the credential was reachable in API responses since at least May 2019, approximately six years prior to disclosure, and was retained across an IoT Hub migration.

Chained delivery via CVE-2026-28766

Per the maintainer’s coordinated-disclosure repository, the iothubowner SharedAccessKey corresponding to this CVE was returned in the response body of the unauthenticated /api/users endpoint cataloged as CVE-2026-28766. The credential appeared as the hub_conn_string field in every one of the 134,215 records returned by that endpoint. The two CVEs are cataloged separately in the CISA advisory; per the maintainer’s repository, in the captured evidence they were delivered together through a single anonymous HTTP GET. See the CVE-2026-28766 page for the field enumeration and chained-impact analysis.

Primary sources

• CISA ICSA-26-055-03 (Update A)
• NVD: CVE-2025-1242
• MITRE CVE Record: CVE-2025-1242
• Disclosure repository
• Per-CVE researcher repository

Mitigation per CISA Update A

Per CISA Update A (April 2, 2026), this CVE is remediated. The fix versions stated by CISA are: Gardyn mobile application 2.11.0 or later; Gardyn cloud API 2.12.2026 or later; Home Kit firmware master.622 or later. See the CISA advisory and the how to update page.

← All CVEs in ICSA-26-055-03