Cyber Resilience

CVE-2025-10681

High

Published: 03 April 2026

Published
03 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 19.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-10681 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Mygardyn (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-10681 involves hardcoded storage credentials embedded in the mobile app and device firmware of affected products. These credentials fail to adequately restrict end-user permissions and do not expire within a reasonable timeframe, potentially enabling unauthorized access to production storage containers. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites for exploitation.

A remote attacker with no privileges or user interaction required can exploit this vulnerability by extracting the hardcoded credentials from the mobile app or device firmware. Successful exploitation grants high confidentiality impact through unauthorized access to production storage, alongside low integrity and availability impacts, such as limited modification or disruption of stored data.

Mitigation details are outlined in official advisories, including CISA ICS Advisory ICSA-26-055-03 (available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03), the vendor security notice at https://mygardyn.com/security/, and the corresponding CSAF file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json. Security practitioners should consult these resources for patching instructions, workarounds, and updated firmware or app versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Storage credentials are hardcoded in the mobile app and device firmware. These credentials do not adequately limit end user permissions and do not expire within a reasonable amount of time. This vulnerability may grant unauthorized access to production storage containers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1530 Data from Cloud Storage Collection
Adversaries may access data from cloud storage.
Why these techniques?

Hardcoded credentials in app/firmware directly enable credential extraction (T1552.001) and subsequent use of valid cloud accounts (T1078.004) to access cloud storage data (T1530).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-48242Shared CWE-798
CVE-2025-55263Shared CWE-798
CVE-2026-24840Shared CWE-798
CVE-2026-40636Shared CWE-798
CVE-2025-40537Shared CWE-798
CVE-2026-26334Shared CWE-798
CVE-2026-48241Shared CWE-798
CVE-2025-27643Shared CWE-798
CVE-2024-36556Shared CWE-798
CVE-2025-14115Shared CWE-798

Affected Assets

Mygardyn
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires organizations to manage authenticators systemically, prohibiting hardcoding, enforcing expiration, and ensuring secure handling to prevent unauthorized access via embedded credentials.

prevent

AC-6 enforces least privilege for access, directly countering the CVE's hardcoded credentials that fail to limit end-user permissions adequately.

prevent

SA-8 mandates application of security engineering principles in system design and development, preventing flaws like embedding non-expiring, over-privileged hardcoded credentials in apps and firmware.

References