Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Key grants network access with no per-user auth (PR:N) and full registry/command rights; scope changes (S:C) since one device's key controls the whole fleet and enables network pivot; availability impact only partial (A:L).
Primary rating from Vendor (hq).
CVSS VectorVendor: hq
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary commands on a specific connected device and may allow the malicious user to pivot to other devices on the user's network.
AnalysisAI
Cloud takeover of Gardyn smart indoor garden devices is possible because a privileged Azure IoT Hub 'iothubowner' shared-access key is embedded in the product, letting a malicious actor query the IoT Hub Registry Manager to enumerate connection details for every Gardyn Home Kit and Studio device and then push arbitrary commands to a targeted unit. Because the key is service-level rather than per-device, one extracted credential compromises the entire fleet, and the attacker may pivot from a controlled device onto the victim's home or corporate LAN. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to first obtain the privileged Azure IoT Hub 'iothubowner' shared-access key that Gardyn embeds in its product (reflected as AT:P in the CVSS 4.0 vector); once that single fleet-wide key is held, no per-user authentication is needed (PR:N) because the key itself authorizes IoT Hub Registry Manager calls, device enumeration, and command execution against any connected Home Kit or Studio device. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L, score 9.5) rates this Critical: network-reachable, low complexity, no privileges, no user interaction, with high confidentiality and integrity impact on both the vulnerable system and subsequent systems. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker extracts the embedded iothubowner key from Gardyn firmware or the companion mobile app, then calls the Azure IoT Hub Registry Manager to dump connection strings for every Home Kit and Studio device in the fleet. Using those credentials the attacker issues arbitrary commands to a chosen victim's device and attempts to pivot onto that user's home network; no public proof-of-concept is identified at time of analysis. |
| Remediation | The fix is a vendor-side change: because the defect is a hard-coded/exposed service credential, the corrective action is Gardyn rotating and re-scoping the leaked iothubowner key and removing it from the device/app, so users should apply any firmware or app update Gardyn publishes and monitor https://mygardyn.com/security/ and CISA ICSA-26-183-03 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-183-03) for the patched version - no exact fixed version is stated in the available data, so this is Patch available per vendor advisory rather than a confirmed release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Disconnect all Gardyn devices from networks; document device locations and network associations. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41464
GHSA-22gx-ghv9-47gj