For Press

Press kit and on-the-record contact for journalists covering CISA advisory ICSA-26-055-03.

Direct contact

• Email: press@gardyn-security-incident.info
• LinkedIn: linkedin.com/in/michael-adam-groberman
• Signal: Available on request via email
• PGP: See contact page
• Embargo policy: The maintainer will work with embargoed stories. Contact for details.

Press inquiries are typically answered within 24 hours.

Bio (third person, copy-pasteable)

Michael Groberman is credited as the reporting researcher in CISA advisory ICSA-26-055-03 for the coordinated disclosure of ten CVEs affecting the Gardyn IoT platform. Per the maintainer’s coordinated-disclosure repository, the original disclosure to Gardyn (October 14, 2025) and the escalation to CERT/CC (December 11, 2025) were made in his self-identified capacity as a Gardyn customer with technical knowledge whose own account record was among the records exposed by the unauthenticated endpoint and whose own device was used to demonstrate unauthenticated RCE; he consistently used the “customer” label and did not adopt the “security researcher” label until CISA applied that designation in the advisory published February 24, 2026. He maintains the public coordinated-disclosure repository.

Documented facts

• CISA published advisory ICSA-26-055-03 on February 24, 2026 with four CVEs.
• CISA published Update A on April 2, 2026, expanding to ten CVEs.
• The lead finding, CVE-2026-28766 (CVSS 9.3), is described in the CISA advisory as exposure of “all user account information” via an unauthenticated cloud API endpoint affecting approximately 134,215 customers.
• Per the maintainer’s coordinated-disclosure repository, the records returned by /api/users included names, email addresses, phone numbers, and a partial payment-card field (last_four), not full card number or CVV. A separately-cataloged single-record companion endpoint (/api/user/{id}, CVE-2026-25197) returned per-user records — including physical addresses — by sequential integer ID with no authentication.
• Per Gardyn’s customer-facing security update post (mygardyn.com/blog/security-update/), the vulnerabilities did not expose payment card information.
• Per CISA Update A, all ten CVEs are remediated. Per CISA, fix versions are mobile app 2.11.0+, cloud API 2.12.2026+, firmware master.622+.
• On February 24, 2026, Gardyn’s post stated firmware master.619; per CISA Update A, the fix for CVE-2025-29631 is in master.622 (released after master.619).
• Per the maintainer’s repository, initial private disclosure to Gardyn was October 14, 2025. That disclosure covered both the unauthenticated PII exposure on /api/users (later CVE-2026-28766), with the discloser’s own Gardyn customer account record among the records returned by the affected endpoint, and unauthenticated remote code execution on a Gardyn device the discloser owned (later CVE-2025-29631 in combination with CVE-2025-1242).
• Per the same repository, the December 11, 2025 CERT/CC engagement (parent case VU#653116) was an escalation following 58 days of vendor silence on the October 14 disclosure, not the first mention of the PII issue.
• Per the same repository, throughout the disclosure period (October 14, 2025 through February 23, 2026), the discloser consistently self-identified to Gardyn and to CERT/CC as a Gardyn customer with technical knowledge and did not adopt the “security researcher” label during that period. The “researcher” designation was applied by CISA in the advisory published February 24, 2026.
• Per the same repository, the unauthenticated /api/users endpoint stopped responding on December 18, 2025; the Azure IoT Hub administrative credential was rotated on January 22, 2026.
• Per the same repository, the Azure IoT Hub administrative credential (CVE-2025-1242) had been reachable since at least May 2019.
• Per the same repository, no authentication-level access logging existed on the affected endpoints during the exposure window (sourced to coordinated-disclosure correspondence and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, not to the CISA advisory text). As a forensic matter, when no access logging exists, unauthenticated access during the unlogged window is not observable in the vendor’s logs.
• Per CISA advisory ICSA-26-055-03 (Update A), the absence of authentication is documented across multiple endpoint categories: /api/users (CVE-2026-28766, customer-facing data), /api/admin/devices (CVE-2026-32646, administrative function), /api/admin/notifications (CVE-2026-28767, administrative function), and development/test endpoints reachable in production (CVE-2026-32662). The lack of authentication is documented as a property of multiple endpoints rather than an isolated finding.
• Per the same repository, three of the original four CVEs (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631) were originally disclosed by mselbrede in February 2025 with technical details published in July 2025.

On-record quotes

“I disclosed to Gardyn on October 14, 2025 as a customer with technical knowledge whose own account data was in the exposed records and whose own device demonstrated the RCE. Up until CISA published the advisory on February 24, 2026, I kept identifying myself as a customer. The researcher label is something CISA applied; it’s not how I described myself during the disclosure.” — Michael Groberman

“Gardyn customers were entitled to accurate information about whether their data was exposed. The CISA advisory provides that information.” — Michael Groberman

“The technical findings are validated by CISA. The remaining question is the public record: what was said, when it was said, and how it compares to what an authoritative federal advisory documents.” — Michael Groberman

“Customer data, the device admin functions, and dev/test endpoints were all reachable without authentication. That’s a property of multiple endpoints in the same advisory, not one bug. And per the documented record — coordinated-disclosure correspondence and a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request — there was no authentication-level access logging on those endpoints during the exposure window. The absence of evidence of access is what you get when you have no way to detect access.” — Michael Groberman

Source materials

• CISA ICSA-26-055-03 (advisory and Update A)
• NVD: CVE-2026-28766
• EUVD-2025-22716 (European Vulnerability Database, CVE-2025-29631)
• Maintainer repository
• CERT/CC VU#653116 record
• Gardyn customer-facing security update
• Gardyn Privacy Policy
• Timeline (this site)
• Discrepancies (this site)
• All ten CVEs (this site)

Existing coverage

See the press coverage page. Outlets that have covered the advisory include SecurityWeek (Eduard Kovacs), Patrick Coyle, Cybersecurity News, Cyber Press, GBhackers, Cyber Technology Insights, BitNinja Security, and OpenText Cybersecurity Community.