CVE-2025-10681
Published: 03 April 2026
Summary
CVE-2025-10681 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Mygardyn (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires organizations to manage authenticators systemically, prohibiting hardcoding, enforcing expiration, and ensuring secure handling to prevent unauthorized access via embedded credentials.
AC-6 enforces least privilege for access, directly countering the CVE's hardcoded credentials that fail to limit end-user permissions adequately.
SA-8 mandates application of security engineering principles in system design and development, preventing flaws like embedding non-expiring, over-privileged hardcoded credentials in apps and firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded credentials in app/firmware directly enable credential extraction (T1552.001) and subsequent use of valid cloud accounts (T1078.004) to access cloud storage data (T1530).
NVD Description
Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.
Deeper analysisAI
CVE-2025-10681 involves hardcoded storage credentials embedded in the mobile app and device firmware of affected products. These credentials fail to adequately restrict end-user permissions and do not expire within a reasonable timeframe, potentially enabling unauthorized access to production storage containers. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites for exploitation.
A remote attacker with no privileges or user interaction required can exploit this vulnerability by extracting the hardcoded credentials from the mobile app or device firmware. Successful exploitation grants high confidentiality impact through unauthorized access to production storage, alongside low integrity and availability impacts, such as limited modification or disruption of stored data.
Mitigation details are outlined in official advisories, including CISA ICS Advisory ICSA-26-055-03 (available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03), the vendor security notice at https://mygardyn.com/security/, and the corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json. Security practitioners should consult these resources for patching instructions, workarounds, and updated firmware or app versions.
Details
- CWE(s)