CVE-2025-1242

Critical

Published: 25 February 2026

Published

25 February 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0004 12.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1242 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Mygardyn (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 12.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-8 (Security and Privacy Engineering Principles).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unsecured Credentials (T1552). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates secure management of authenticators, prohibiting hard-coding and unauthorized disclosure, directly preventing extraction of administrative credentials from API responses, mobile apps, and firmware.

SA-8 Security and Privacy Engineering Principles good match

prevent

SA-8 requires application of security engineering principles in development to avoid hard-coded credentials and ensure secure design, comprehensively addressing the root cause in firmware and mobile application code.

AC-3 Access Enforcement partial match

prevent

AC-3 enforces access control policies and mechanisms to prevent unauthorized leakage of sensitive administrative credentials in application API responses.

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

Why these techniques?

Hard-coded administrative credentials (CWE-798) directly exposed via API/firmware reverse engineering enable credential access via T1552 Unsecured Credentials, leading to T1078 account use.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious…

control.

Deeper analysisAI

CVE-2025-1242 affects the Gardyn IoT Hub, where administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. This vulnerability, linked to CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), classifying it as critical due to high confidentiality and integrity impacts.

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables full administrative access to the Gardyn IoT Hub, potentially exposing connected devices to malicious control.

Mitigation guidance is available in related advisories, including CISA ICSA-26-055-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03, the Gardyn security page at https://mygardyn.com/security/, and the CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json.