What is the CVSS score of CVE-2025-1242?

CVE-2025-1242 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of IoT are affected by CVE-2025-1242?

Administrative credentials are exposed through API responses and reverse engineering of mobile and firmware components, creating an immediate risk of unauthorized system access and complete…

How to fix or mitigate CVE-2025-1242?

Within 24 hours: Inventory all systems running the affected application and restrict API access to trusted networks only; disable mobile app and firmware update mechanisms if possible. Within 7 days: Rotate all administrative credentials, implement enhanced monitoring for unauthorized API access patterns, and engage with vendor for interim mitigations. Within 30 days: Deploy network segmentation to isolate administrative interfaces, implement API response filtering/obfuscation at WAF/proxy layer, and establish timeline for vendor patch or application replacement.

IoT CVE-2025-1242

CRITICAL

Use of Hard-coded Credentials (CWE-798)

2026-02-25 ics-cert@hq.dhs.gov

IoT

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 25, 2026 - 16:23 nvd

CRITICAL 9.1

DescriptionNVD

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.

AnalysisAI

Hardcoded credentials extractable through API responses and mobile app reverse engineering in an enterprise application. Administrative credentials are exposed in multiple channels.

Technical ContextAI

CWE-798 hardcoded credentials. Admin credentials are embedded in API responses and the mobile application binary, extractable through API calls or reverse engineering.

Affected ProductsAI

Affected enterprise application

RemediationAI

Remove hardcoded credentials from API responses and mobile app. Implement proper credential management.

CVE-2025-1242 vulnerability details – vuln.today

Back

IoT CVE-2025-1242

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code