CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03 | All CVEs | Case Repository
| Field | Value |
|---|---|
| CVE | CVE-2025-10681 |
| ICSA | ICSA-26-055-03 |
| CVSS 3.1 | 8.6 (High) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
| CWE | CWE-798 (Use of Hard-coded Credentials) |
| Researcher | Michael Groberman — Gr0m |
| Published | 2026-02-24 |
| Field | Value |
|---|---|
| Vendor | Gardyn |
| Product | Gardyn Home Kit 1.0, 2.0, 3.0, 4.0; Gardyn Studio 1.0, 2.0 |
| Component | Device firmware, mobile application |
| Affected Versions | All firmware versions, Mobile App all versions |
An Azure Blob Storage account key is hardcoded in both the Gardyn device firmware and mobile application. This account-level credential grants access to all blob containers including OTA firmware updates, device logs, and camera images from approximately 115,000 devices.
Account names removed — Specific Azure resource identifiers have been removed from this public disclosure to reduce attacker enablement.
Three Azure Blob Storage accounts are accessible via the hardcoded key. They serve camera still images, device logs, OTA updates, timelapse videos (constructed from still images), and thumbnail images — all at account-level (full access) permissions. The Gardyn camera does not capture or store audio streams; all camera-related media is image-based.
The storage account key is embedded in:
- Device firmware — plaintext in configuration files under
/usr/local/etc/gardyn/ - Mobile application — React Native Hermes bytecode in
index.android.bundle
Container names removed — Specific resource identifiers have been removed from this public disclosure to reduce attacker enablement.
Enumeration revealed containers containing home interior camera images (~115,000 cameras), device diagnostic logs (5+ years), timelapse recordings, and firmware update packages. Camera image, log, and OTA update containers have read/write access.
Write access to the OTA firmware container provides architectural access to the firmware update pipeline.
- Read access to home interior camera images from approximately 115,000 Gardyn cameras
- Read/write access to OTA firmware update storage — enables supply chain attacks
- Access to 5+ years of device diagnostic logs
- Storage cost attacks via arbitrary blob uploads
- Architectural access to the OTA firmware update pipeline
| Service | Purpose |
|---|---|
| Shared Access Signatures (SAS) | Time-limited, scope-limited, permission-limited access tokens for storage resources |
| Azure RBAC for Blob Storage | Role-based access control with per-user or per-service scoped permissions |
| Managed Identities | Credential-free authentication for Azure services — no keys to hardcode or leak |
The account key provides unrestricted access to all containers, including ~115,000 home interior camera images, 5+ years of diagnostic logs, and the OTA firmware update pipeline.
Recommended mitigations for device owners:
- Isolate the Gardyn device on a dedicated VLAN or IoT network segment
- Monitor for unexpected outbound connections from the device
Recommended fix for the vendor:
- Rotate all Azure Storage account keys immediately
- Remove hardcoded credentials from firmware and mobile application
- Implement per-device scoped SAS tokens with minimal permissions
- Set all containers to private access level
- Implement code signing for OTA firmware packages
- Add integrity verification for downloaded firmware
| Date | Event |
|---|---|
| 2025-10-14 | Initial disclosure to vendor (researcher + consumer action — dual-capacity; the researcher disclosed as an affected Gardyn customer in addition to acting as the discovering researcher; see VU653116 standing note) |
| 2025-12-11 | Disclosure to CERT/CC (researcher + consumer action — dual-capacity; 58 days after initial vendor disclosure) |
| 2026-02-24 | ICSA-26-055-03 published (initial) |
| 2026-04-02 | ICSA-26-055-03 Update A -- CVE-2025-10681 added |
Reported by Michael Groberman — Gr0m to CISA.