Cyber Resilience

CVE-2025-1242

Critical

Published: 25 February 2026

Published
25 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0044 34.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-1242 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Mygardyn (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 34.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SA-8 (Security and Privacy Engineering Principles).

Deeper analysis

CVE-2025-1242 affects the Gardyn IoT Hub, where administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. This vulnerability, linked to CWE-798 (Use of Hard-coded Credentials), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), classifying it as critical due to high confidentiality and integrity impacts.

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. Exploitation enables full administrative access to the Gardyn IoT Hub, potentially exposing connected devices to malicious control.

Mitigation guidance is available in related advisories, including CISA ICSA-26-055-03 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03, the Gardyn security page at https://mygardyn.com/security/, and the CSAF JSON file at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-055-03.json.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious…

more

control.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Hard-coded administrative credentials (CWE-798) directly exposed via API/firmware reverse engineering enable credential access via T1552 Unsecured Credentials, leading to T1078 account use.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25470Shared CWE-798
CVE-2026-40636Shared CWE-798
CVE-2024-52902Shared CWE-798
CVE-2025-27643Shared CWE-798
CVE-2026-5065Shared CWE-798
CVE-2026-2103Shared CWE-798
CVE-2026-7414Shared CWE-798
CVE-2026-9139Shared CWE-798
CVE-2026-26218Shared CWE-798
CVE-2019-25722Shared CWE-798

Affected Assets

Mygardyn
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates secure management of authenticators, prohibiting hard-coding and unauthorized disclosure, directly preventing extraction of administrative credentials from API responses, mobile apps, and firmware.

prevent

SA-8 requires application of security engineering principles in development to avoid hard-coded credentials and ensure secure design, comprehensively addressing the root cause in firmware and mobile application code.

prevent

AC-3 enforces access control policies and mechanisms to prevent unauthorized leakage of sensitive administrative credentials in application API responses.

References