For Press

Press kit and on-the-record contact for journalists covering CISA advisory ICSA-26-055-03.

Direct contact

• Email: press@gardyn-security-incident.info
• LinkedIn: linkedin.com/in/michael-adam-groberman
• Signal: Available on request via email
• PGP: See contact page
• Embargo policy: The maintainer will work with embargoed stories. Contact for details.

Press inquiries are typically answered within 24 hours.

Bio (third person, copy-pasteable)

Michael Groberman is an independent security researcher (handle: Gr0m) credited in CISA advisory ICSA-26-055-03 for the coordinated disclosure of ten CVEs affecting the Gardyn IoT platform. Per the researcher’s coordinated-disclosure repository, initial vendor outreach was on October 14, 2025; CISA published the initial advisory on February 24, 2026 and Update A on April 2, 2026. He maintains the public coordinated-disclosure repository.

Documented facts

• CISA published advisory ICSA-26-055-03 on February 24, 2026 with four CVEs.
• CISA published Update A on April 2, 2026, expanding to ten CVEs.
• The lead finding, CVE-2026-28766 (CVSS 9.3), is described in the CISA advisory as exposure of “all user account information” via an unauthenticated cloud API endpoint affecting approximately 134,215 customers.
• Per the researcher’s coordinated-disclosure repository, the records returned by the affected endpoint included names, email addresses, phone numbers, physical addresses, and the last_four partial payment-card field.
• Per Gardyn’s customer-facing security update post (mygardyn.com/blog/security-update/), the vulnerabilities did not expose payment card information.
• Per CISA Update A, all ten CVEs are remediated. Per CISA, fix versions are mobile app 2.11.0+, cloud API 2.12.2026+, firmware master.622+.
• On February 24, 2026, Gardyn’s post stated firmware master.619; per CISA Update A, the fix for CVE-2025-29631 is in master.622 (released after master.619).
• Per the researcher’s repository, initial vendor disclosure was October 14, 2025; CERT/CC disclosure was December 11, 2025; the unauthenticated /api/users endpoint stopped responding on December 18, 2025; the Azure IoT Hub administrative credential was rotated on January 22, 2026.
• Per the researcher’s repository, the Azure IoT Hub administrative credential (CVE-2025-1242) had been reachable since at least May 2019.
• Per the researcher’s repository, the vendor stated to CISA that no access logging existed on the affected endpoints during the exposure window.
• Per the researcher’s repository, three of the original four CVEs (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631) were originally disclosed by mselbrede in February 2025 with technical details published in July 2025.

On-record quotes

“Gardyn customers were entitled to accurate information about whether their data was exposed. The CISA advisory provides that information.” — Michael Groberman

“The technical findings are validated by CISA. The remaining question is the public record: what was said, when it was said, and how it compares to what an authoritative federal advisory documents.” — Michael Groberman

“Initial private notification to the vendor was on October 14, 2025. Public release came after federal coordination through CERT/CC and CISA.” — Michael Groberman

Source materials

• CISA ICSA-26-055-03 (advisory and Update A)
• NVD: CVE-2026-28766
• EUVD-2025-22716 (European Vulnerability Database, CVE-2025-29631)
• Researcher repository
• CERT/CC VU#653116 record
• Gardyn customer-facing security update
• Gardyn Privacy Policy
• Timeline (this site)
• Discrepancies (this site)
• All ten CVEs (this site)

Existing coverage

See the press coverage page. Outlets that have covered the advisory include SecurityWeek (Eduard Kovacs), Patrick Coyle, Cybersecurity News, Cyber Press, GBhackers, Cyber Technology Insights, BitNinja Security, and OpenText Cybersecurity Community.