For Researchers
Technical materials related to CISA advisory ICSA-26-055-03 and the ten CVEs.
Disclosure repositories
| Main advisory repository | github.com/MichaelAdamGroberman/ICSA-26-055-03 |
|---|---|
| CERT/CC parent case | github.com/MichaelAdamGroberman/VU653116 |
Per-CVE repositories
- CVE-2025-1242 — Hardcoded Azure IoT Hub administrative credential (CWE-798)
- CVE-2025-10681 — Hardcoded Azure Blob Storage account key (CWE-798)
- CVE-2026-25197 — IDOR on /api/user/{id} (CWE-639)
- CVE-2026-28766 — Unauthenticated /api/users (CWE-306)
- CVE-2026-28767 — Unauthenticated /api/admin/notifications (CWE-306)
- CVE-2026-32646 — Unauthenticated /api/admin/devices (CWE-306)
- CVE-2026-32662 — Active debug code in production (CWE-489)
Attack chains, per the researcher’s repository
Chain 1. CVE-2025-1242 (hardcoded iothubowner credential) plus CVE-2025-29631 (command injection in upgrade()) yields, per the repository, unauthenticated remote code execution as root on registered devices (138,160+).
Chain 2. CVE-2026-28766 (unauthenticated /api/users) plus CVE-2026-25197 (IDOR on /api/user/{id} with sequential integer ids) provides, per the repository, PII access for 134,215 user records, including names, email addresses, phone numbers, and the last_four partial payment-card field.
Prior work
Per the researcher’s repository, CVE-2025-29628, CVE-2025-29629, and CVE-2025-29631 were originally disclosed by mselbrede in February 2025, with technical details and a proof-of-concept published in July 2025.
- github.com/mselbrede/gardyn (original research)
- github.com/kristof-mattei/gardyn-hack (mirror)
Other references
- CISA ICSA-26-055-03 (advisory and Update A)
- CSAF JSON
- NVD: CVE-2026-28766
- EUVD-2025-22716 (CVE-2025-29631)
Contact
See the contact page. PGP and Signal available.