CVE-2025-10681 Gardyn CVE debrief

Who should care

Gardyn Home and Studio users, administrators supporting the Gardyn mobile app or connected devices, and defenders responsible for firmware/app update management and cloud credential hygiene.

Technical summary

According to CISA advisory ICSA-26-055-03, the vulnerable design embeds storage credentials in the Gardyn mobile app and firmware. The advisory says those credentials are overly permissive and long-lived, creating a path to unauthorized access to production storage containers. CISA’s update on 2026-04-02 added the vulnerability details and remediation guidance, including upgrading the Gardyn mobile app and updating Home/Studio firmware to master.622 or later.

Defensive priority

High — prioritize patching and version verification because exposed, long-lived credentials can be used to reach production storage resources.

Recommended defensive actions

• Update the Gardyn mobile application to the latest supported version.
• Upgrade Gardyn Home Kit and Studio devices to firmware master.622 or later.
• Verify the current app and firmware versions in the Gardyn app.
• Keep affected devices connected to the internet so firmware updates can download automatically.
• Follow Gardyn’s published security guidance and contact support if updates do not apply cleanly.

Evidence notes

Source corpus: CISA CSAF advisory ICSA-26-055-03 / CVE-2025-10681, published 2026-02-24 and updated 2026-04-02. The advisory states that storage credentials are hardcoded in the mobile app and device firmware, do not adequately limit permissions, and do not expire within a reasonable time. The source also includes SSVCv2/E:N/A:Y/2026-03-31T05:00:00.000000Z. No KEV entry or active ransomware association is provided in the supplied corpus.

Official resources