For Researchers
Technical materials related to CISA advisory ICSA-26-055-03 and the ten CVEs.
Disclosure repositories
| Main advisory repository | github.com/MichaelAdamGroberman/ICSA-26-055-03 |
|---|---|
| CERT/CC parent case | github.com/MichaelAdamGroberman/VU653116 |
Per-CVE repositories
- CVE-2025-1242 — Hardcoded Azure IoT Hub administrative credential (CWE-798)
- CVE-2025-10681 — Hardcoded Azure Blob Storage account key (CWE-798)
- CVE-2026-25197 — IDOR on /api/user/{id} (CWE-639)
- CVE-2026-28766 — Unauthenticated /api/users (CWE-306)
- CVE-2026-28767 — Unauthenticated /api/admin/notifications (CWE-306)
- CVE-2026-32646 — Unauthenticated /api/admin/devices (CWE-306)
- CVE-2026-32662 — Active debug code in production (CWE-489)
Endpoints documented as not requiring authentication
Per CISA advisory ICSA-26-055-03 (Update A), the absence of authentication is documented as a property of multiple endpoints across customer, administrative, and dev/test scopes:
| CVE | Endpoint or scope | Function | CVSS |
|---|---|---|---|
| CVE-2026-28766 | /api/users | Customer-facing data (approximately 134,215 records) | 9.3 |
| CVE-2026-32646 | /api/admin/devices | Administrative function (device enumeration and management) | 7.5 |
| CVE-2026-28767 | /api/admin/notifications | Administrative function (notification system) | 5.3 |
| CVE-2026-32662 | Development and test endpoints (multiple paths) | Dev/test endpoints reachable in production | 5.3 |
Per the same advisory, separate findings document hardcoded administrative credentials (CVE-2025-1242, CVSS 9.1) and a hardcoded Azure Blob Storage account key (CVE-2025-10681, CVSS 8.6), as well as default credentials enabling SSH access to the device platform (CVE-2025-29629, CVSS 8.3) and cleartext transmission of an IoT Hub connection string (CVE-2025-29628, CVSS 8.3). Per the CISA advisory, the lack of authentication or authorization controls is documented across customer, administrative, dev/test, device-platform SSH, and infrastructure-credential scopes.
Detectability of access during the exposure window
Per the maintainer’s coordinated-disclosure repository, no authentication-level access logging existed on the affected endpoints during the exposure window; this is sourced to coordinated-disclosure correspondence and to a 2026-01-27 Gardyn customer-support response to a Personal Information Access Request, not to the CISA advisory text. As a forensic matter, when no access logging exists on an endpoint, unauthenticated access to that endpoint during the unlogged window is not observable in the vendor’s logs. Statements about whether unauthorized access did or did not occur during the exposure window are bounded by the existence of access logging at the time.
Attack chains, per the maintainer’s repository
Chain 1. CVE-2025-1242 (hardcoded iothubowner credential) plus CVE-2025-29631 (command injection in upgrade()) yields, per the repository, unauthenticated remote code execution as root on registered devices (138,160+).
Chain 2. CVE-2026-28766 (unauthenticated /api/users) plus CVE-2026-25197 (IDOR on /api/user/{id} with sequential integer ids) provides, per the repository, PII access for 134,215 user records, including names, email addresses, phone numbers, and a partial payment-card field (last_four), not full card number or CVV.
Prior work
Per the maintainer’s repository, CVE-2025-29628, CVE-2025-29629, and CVE-2025-29631 were originally disclosed by mselbrede in February 2025, with technical details and a proof-of-concept published in July 2025.
- github.com/mselbrede/gardyn (original research)
- github.com/kristof-mattei/gardyn-hack (mirror)
Other references
- CISA ICSA-26-055-03 (advisory and Update A)
- CSAF JSON
- NVD: CVE-2026-28766
- EUVD-2025-22716 (CVE-2025-29631)
Contact
See the contact page. PGP and Signal available.