CVE-2025-1242
Use of Hard-coded Credentials (Azure IoT Hub)
| CVE | CVE-2025-1242 |
|---|---|
| Severity | Critical (9.1) |
| Weakness (CWE) | CWE-798: Use of Hard-coded Credentials |
| Affected components | Cloud API <2.12.2026; Mobile App <2.11.0; Firmware <master.622 |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0 |
| Sector | Food and Agriculture (CISA classification) |
| Status per CISA Update A | Remediated |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
What is documented
Per the researcher’s coordinated-disclosure repository, the Azure IoT Hub administrative credential (the iothubowner shared access policy) was reachable through unauthenticated API responses, the mobile application bundle, and device firmware. Per the researcher’s repository, the credential was reachable in API responses since at least May 2019, approximately six years prior to disclosure, and was retained across an IoT Hub migration.
Primary sources
- CISA ICSA-26-055-03 (Update A)
- NVD: CVE-2025-1242
- MITRE CVE Record: CVE-2025-1242
- Disclosure repository
- Per-CVE researcher repository
Mitigation per CISA Update A
Per CISA Update A (April 2, 2026), this CVE is remediated. The fix versions stated by CISA are: Gardyn mobile application 2.11.0 or later; Gardyn cloud API 2.12.2026 or later; Home Kit firmware master.622 or later. See the CISA advisory and the how to update page.