Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.
AnalysisAI
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.
Technical ContextAI
This vulnerability exemplifies CWE-798 (Use of Hard-coded Credentials), a critical authentication antipattern where static credentials are embedded directly in application binaries or firmware images. The Gardyn mobile application and associated device firmware contain plaintext or weakly obfuscated cloud storage access credentials that cannot be rotated without firmware/app updates. These credentials authenticate to backend storage containers (likely AWS S3, Azure Blob, or similar) with overly permissive IAM policies, violating the principle of least privilege. The credentials lack time-based expiration, creating a permanent authentication bypass. Reverse engineering mobile applications (.apk/.ipa files) or extracting firmware images trivially exposes these credentials, as they must be readable by the application runtime. The CPE strings identify Gardyn mobile application and cloud API as affected components, suggesting a smart gardening IoT ecosystem where both edge devices and mobile clients share the same hardcoded backend credentials.
RemediationAI
Primary remediation requires updating to patched versions of the Gardyn mobile application and device firmware that remove hardcoded credentials and implement proper authentication mechanisms such as OAuth 2.0, per-device unique credentials, or short-lived STS tokens. Specific patched version numbers are not confirmed from available data; consult the vendor security advisory at https://mygardyn.com/security/ for release information. Backend mitigation requires immediate rotation of the compromised storage credentials and implementation of least-privilege IAM policies with time-based session tokens. Organizations should invalidate existing hardcoded credentials in cloud storage access policies and deploy credential rotation infrastructure. As an interim workaround, network-level controls such as IP allowlisting on storage bucket policies may reduce exposure, though this does not address the root vulnerability. Review CISA advisory ICSA-26-055-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03 and the CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json for comprehensive mitigation guidance.
More in Mobile Application
View allBrute force exploitation of the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application (versions 1.6.2
Insufficient session expiration in the Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application versions
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209213
GHSA-wp3p-cjw9-x99v