Glossary
Definitions of terms used on this site, written for non-specialist readers.
Standards bodies and identifiers
CISA — Cybersecurity and Infrastructure Security Agency, a U.S. federal agency within the Department of Homeland Security. CISA publishes industrial control system advisories that document confirmed vulnerabilities affecting operational technology and IoT products.
ICSA — Industrial Control System Advisory, the format CISA uses for advisories about IoT, OT, and ICS products. ICSA-26-055-03 is the advisory that documents the Gardyn findings.
CVE — Common Vulnerabilities and Exposures, a globally unique identifier for a publicly disclosed vulnerability. Issued by a CVE Numbering Authority (CNA) and listed in the MITRE CVE program and the National Vulnerability Database.
NVD — National Vulnerability Database, maintained by NIST. The authoritative U.S. record for vulnerability identifiers and severity scoring.
CVSS — Common Vulnerability Scoring System. A 0.0–10.0 numeric score for vulnerability severity. CVSS 9.0–10.0 is the “Critical” tier; 7.0–8.9 is “High.” CVE-2026-28766 in this advisory is rated CVSS 9.3.
CWE — Common Weakness Enumeration. A taxonomy of underlying software-design flaws. CWE-306 (“missing authentication for critical function”), CWE-319 (“cleartext transmission”), and CWE-798 (“use of hard-coded credentials”) are referenced in this advisory.
CERT/CC — the CERT Coordination Center at Carnegie Mellon University’s Software Engineering Institute. Coordinates vulnerability disclosure between researchers and vendors. The parent case for this advisory is VU#653116.
Technical terms
API endpoint — a network address (URL) that an application or service exposes to be called programmatically. Endpoints can require authentication or be public.
Unauthenticated endpoint — an API endpoint that can be called without proving who you are. For sensitive functionality, this is generally a security flaw.
Azure IoT Hub — Microsoft’s managed cloud service for connecting and managing IoT devices. The CISA advisory references the “iothubowner” administrative connection string for the Gardyn IoT Hub.
Connection string — a credential that authorizes access to a service. An IoT Hub connection string with administrative privileges effectively grants control of the entire device fleet on that hub.
Hard-coded credential — a password, key, or token that is embedded directly in software or returned by a server, rather than provisioned dynamically per user. CWE-798.
Command injection — a class of vulnerability in which an attacker can cause a program to execute additional commands by including them in input the program processes. CWE-78.
Remote code execution (RCE) — the ability for an attacker to run their own code on a target system over a network, generally the most serious class of vulnerability outcome. The combination of CVE-2025-1242 and CVE-2025-29631 in this advisory enables unauthenticated RCE as root on registered devices.
Cleartext transmission — sending sensitive data over the network without encryption. CWE-319. Allows on-path attackers to read or modify the data in transit.
Man-in-the-middle (MITM) — an attack in which the attacker intercepts traffic between two parties and may read or modify it. Possible when sensitive data is transmitted in cleartext.
Privacy and consumer-protection terms
PII — Personally Identifiable Information. Includes names, email addresses, phone numbers, and physical addresses.
CCPA — the California Consumer Privacy Act and amendments (CPRA). Provides California residents with rights regarding their personal information and a private right of action in the event of certain data breaches.
GDPR — the EU General Data Protection Regulation. Includes breach notification obligations and rights for data subjects to be informed.
FTC — the U.S. Federal Trade Commission. Has consumer protection authority including under Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in commerce.
Coordinated disclosure — the practice in which a researcher reports a vulnerability privately to the vendor or a coordinator, allowing time for a fix before public release. The Gardyn advisory followed coordinated disclosure through CERT/CC and CISA.