Skip to main content

Mobile Application EUVDEUVD-2025-209213

| CVE-2025-10681 HIGH
Use of Hard-coded Credentials (CWE-798)
2026-04-03 icscert GHSA-wp3p-cjw9-x99v
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:06 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.11.0,2.12.2026
EUVD ID Assigned
Apr 03, 2026 - 20:45 euvd
EUVD-2025-209213
Analysis Generated
Apr 03, 2026 - 20:45 vuln.today
CVE Published
Apr 03, 2026 - 20:26 nvd
HIGH 8.8

DescriptionCVE.org

Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.

AnalysisAI

Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.

Technical ContextAI

This vulnerability exemplifies CWE-798 (Use of Hard-coded Credentials), a critical authentication antipattern where static credentials are embedded directly in application binaries or firmware images. The Gardyn mobile application and associated device firmware contain plaintext or weakly obfuscated cloud storage access credentials that cannot be rotated without firmware/app updates. These credentials authenticate to backend storage containers (likely AWS S3, Azure Blob, or similar) with overly permissive IAM policies, violating the principle of least privilege. The credentials lack time-based expiration, creating a permanent authentication bypass. Reverse engineering mobile applications (.apk/.ipa files) or extracting firmware images trivially exposes these credentials, as they must be readable by the application runtime. The CPE strings identify Gardyn mobile application and cloud API as affected components, suggesting a smart gardening IoT ecosystem where both edge devices and mobile clients share the same hardcoded backend credentials.

RemediationAI

Primary remediation requires updating to patched versions of the Gardyn mobile application and device firmware that remove hardcoded credentials and implement proper authentication mechanisms such as OAuth 2.0, per-device unique credentials, or short-lived STS tokens. Specific patched version numbers are not confirmed from available data; consult the vendor security advisory at https://mygardyn.com/security/ for release information. Backend mitigation requires immediate rotation of the compromised storage credentials and implementation of least-privilege IAM policies with time-based session tokens. Organizations should invalidate existing hardcoded credentials in cloud storage access policies and deploy credential rotation infrastructure. As an interim workaround, network-level controls such as IP allowlisting on storage bucket policies may reduce exposure, though this does not address the root vulnerability. Review CISA advisory ICSA-26-055-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03 and the CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json for comprehensive mitigation guidance.

Share

EUVD-2025-209213 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy