Gardyn Security Incident

← All CVEs

CVE-2026-13768

Privileged IoT Hub credential — fleet enumeration, device RCE, home-network pivot

CVECVE-2026-13768
AdvisoryCISA ICSA-26-183-03 (Gardyn IoT Hub)
SeverityCritical (10.0)
CVSS v3.1 vector (per CISA)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
Weakness (CWE)CWE-798: Use of Hard-coded Credentials
Affected componentsHome/Studio Firmware <master.627; Cloud API <2.12.2026
VendorGardyn Inc.
Affected productsGardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0
SectorFood and Agriculture (CISA classification)
Status per CISAPer CISA, Gardyn states the IoT Hub deployed infrastructure has been updated
CoordinatorCERT/CC (parent case VU#653116) and CISA

What is documented

Per CISA advisory ICSA-26-183-03 and the maintainer’s coordinated-disclosure repository, an exposed privileged IoT Hub credential (the iothubowner-class administrative key) permitted unauthenticated access to invoke IoT Hub Registry Manager functions, retrieve device connection information, execute arbitrary commands on managed devices, and pivot across networks. Per CISA, successful exploitation could allow unauthenticated users to access and control IoT Hub managed devices. The advisory carries an overall CVSS v3 base score of 10.0.

Relationship to ICSA-26-055-03

Per the maintainer’s repository, the control-plane blast radius of the Chain 1 attack documented under ICSA-26-055-03 — CVE-2025-1242 (hardcoded iothubowner credential) combined with CVE-2025-29631 (command injection in upgrade()) — is separately cataloged in this companion advisory as CVE-2026-13768. See the CVE index and CVE-2025-1242.

Primary sources

Mitigation per CISA

Per CISA ICSA-26-183-03 (July 2, 2026), Gardyn states that the IoT Hub deployed infrastructure has been updated to fix the listed vulnerabilities. Per CISA, users should ensure devices have internet connectivity so firmware updates apply automatically (firmware fix line master.627) and should update the mobile application. See the CISA advisory and the how to update page.

← All CVEs