Cloud Api
Monthly
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.
Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to access and modify arbitrary user profiles by manipulating ID parameters in API calls. CVSS:4.0 rates this 9.3 (Critical) with network-accessible attack vector requiring no privileges or user interaction, enabling unauthorized access to high-sensitivity user data and profile modification. CISA ICS-CERT issued advisory ICSA-26-055-03 for this IoT/smart garden system vulnerability. No public exploit identified at time of analysis, though the attack technique (parameter manipulation) is trivial to execute.
Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive information for all registered users. The vulnerability stems from an unprotected endpoint exposing full account details without authentication checks (CVSS 9.2, AV:N/PR:N). CISA ICS-CERT has published an advisory, indicating exposure in operational technology/IoT contexts. No public exploit identified at time of analysis, though the vulnerability's simplicity (low attack complexity, no privileges required) makes exploitation straightforward once the endpoint is discovered.
Unauthenticated attackers can access administrative endpoint notifications in Gardyn Cloud API without proper authentication, allowing information disclosure via an authentication bypass vulnerability. The CVSS 6.9 score reflects the network accessibility and lack of required privileges, though impact is limited to confidentiality. No public exploit code or active exploitation has been confirmed at time of analysis.
Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to network attackers. The CVSS:4.0 vector (AV:N/AC:L/PR:N) confirms network-reachable exploitation requiring no authentication or user interaction, with high confidentiality impact. EPSS data unavailable, but authentication bypass vulnerabilities (CWE-306) are frequently targeted when exposed on internet-facing APIs. CISA ICS-CERT advisory indicates IoT/OT context, suggesting potential for unauthorized device control. No confirmed active exploitation (not on CISA KEV) and no public exploit identified at time of analysis.
Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated remote attackers to access sensitive information with low complexity. This information disclosure vulnerability (CVSS 6.9) affects all versions of Gardyn Cloud API and has been documented by CISA ICS in advisory ICSA-26-055-03; no public exploit code or active exploitation has been identified at the time of analysis.
Hardcoded storage credentials in Gardyn mobile application and device firmware grant unauthenticated remote attackers access to production cloud storage containers with excessive permissions. The CVSS v4.0 score of 8.8 reflects network-accessible attack vector with no complexity barriers, enabling high confidentiality impact and limited integrity/availability impact. CISA ICS-CERT disclosure indicates industrial/IoT context. No public exploit identified at time of analysis, though hardcoded credential vulnerabilities are trivial to exploit once discovered. EPSS data not available for this recent CVE.
Insecure Direct Object Reference (IDOR) vulnerability in Gardyn Cloud API allows unauthenticated remote attackers to access and modify arbitrary user profiles by manipulating ID parameters in API calls. CVSS:4.0 rates this 9.3 (Critical) with network-accessible attack vector requiring no privileges or user interaction, enabling unauthorized access to high-sensitivity user data and profile modification. CISA ICS-CERT issued advisory ICSA-26-055-03 for this IoT/smart garden system vulnerability. No public exploit identified at time of analysis, though the attack technique (parameter manipulation) is trivial to execute.
Unauthenticated access to complete user account data in Gardyn Cloud API allows remote attackers to retrieve sensitive information for all registered users. The vulnerability stems from an unprotected endpoint exposing full account details without authentication checks (CVSS 9.2, AV:N/PR:N). CISA ICS-CERT has published an advisory, indicating exposure in operational technology/IoT contexts. No public exploit identified at time of analysis, though the vulnerability's simplicity (low attack complexity, no privileges required) makes exploitation straightforward once the endpoint is discovered.
Unauthenticated attackers can access administrative endpoint notifications in Gardyn Cloud API without proper authentication, allowing information disclosure via an authentication bypass vulnerability. The CVSS 6.9 score reflects the network accessibility and lack of required privileges, though impact is limited to confidentiality. No public exploit code or active exploitation has been confirmed at time of analysis.
Unauthenticated remote access to administrative endpoints in Gardyn Cloud API exposes device management functions to network attackers. The CVSS:4.0 vector (AV:N/AC:L/PR:N) confirms network-reachable exploitation requiring no authentication or user interaction, with high confidentiality impact. EPSS data unavailable, but authentication bypass vulnerabilities (CWE-306) are frequently targeted when exposed on internet-facing APIs. CISA ICS-CERT advisory indicates IoT/OT context, suggesting potential for unauthorized device control. No confirmed active exploitation (not on CISA KEV) and no public exploit identified at time of analysis.
Gardyn Cloud API exposes development and test endpoints that mirror production functionality, allowing unauthenticated remote attackers to access sensitive information with low complexity. This information disclosure vulnerability (CVSS 6.9) affects all versions of Gardyn Cloud API and has been documented by CISA ICS in advisory ICSA-26-055-03; no public exploit code or active exploitation has been identified at the time of analysis.