Hardcoded Credentials in Mobile App and Firmware of Gardyn's Smart Plant System
CVE-2025-10681

8.8HIGH

Key Information:

Vendor: Gardyn
Status: Mobile Application; Cloud Api
Vendor: CVE Published:; 3 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-10681?

The Smart Plant System by Gardyn contains a significant vulnerability involving hardcoded storage credentials within its mobile application and device firmware. These credentials not only lack sufficient restrictions on end-user permissions but also do not have an expiration mechanism in place. This deficiency poses a risk of unauthorized access to production storage containers, potentially leading to data breaches and compromise of user information.

Affected Version(s)

Cloud API 0 < 2.12.2026

Mobile Application 0 < 2.11.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-10681
Created by MichaelAdamGroberman

References

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://mygardyn.com/security/

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 7, 2026
👾
Exploit known to exist
Apr 7, 2026
Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Sep 18, 2025

Credit

Michael Groberman reported these vulnerabilities to CISA.

CVE-2025-10681 Data

JSON