Hardcoded Credentials in Mobile App and Firmware of Gardyn's Smart Plant System
CVE-2025-10681

8.8HIGH

Key Information:

Vendor: Gardyn
Status: Mobile Application; Cloud Api
Vendor: CVE Published:; 3 April 2026

What is CVE-2025-10681?

The Smart Plant System by Gardyn contains a significant vulnerability involving hardcoded storage credentials within its mobile application and device firmware. These credentials not only lack sufficient restrictions on end-user permissions but also do not have an expiration mechanism in place. This deficiency poses a risk of unauthorized access to production storage containers, potentially leading to data breaches and compromise of user information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Cloud API 0 < 2.12.2026

Mobile Application 0 < 2.11.0

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://mygardyn.com/security/

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Sep 18, 2025

Credit

Michael Groberman reported these vulnerabilities to CISA.

JSON

Gardyn