CVE-2026-13768: Gardyn IoT Hub Use of Hard-coded Credentials
Gardyn devices expose a privileged iothubowner key. Access to this key will allow a malicious user to invoke an IoTHub Registry Manager function which returns connection information for all Gardyn Home Kit and Studio devices. Access to this key also allows a malicious user to execute arbitrary commands on a specific connected device and may allow the malicious user to pivot to other devices on the user's network.
Metrics
- CVSS v4.0
- 9.5
- Severity
- CRITICAL
- Fixed in
- 2.12.2026
- Affected Products
- 3
HarborGuard Analysis
Synopsis
This is a hard-coded credentials vulnerability in the Gardyn IoT Hub firmware and cloud API. The privileged iothubowner key is embedded directly in the device and is reachable over the network by any unauthenticated attacker. Successful exploitation gives an attacker full read and write access to IoT Hub registry data for all connected Gardyn devices, the ability to run arbitrary commands on individual devices, and a foothold to pivot into the user's local network. Patched-image rebuilds at versions 2.12.2026 and master.627 are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including ICS-CERT advisories) within minutes of publication and matched against customer images, including custom-built images that bundle Gardyn firmware or API components. Any image containing an affected version of the Gardyn Home Firmware, Studio Firmware, or Cloud API is flagged automatically in the pipeline scan.
AvailableHarborGuard scores this finding at CVSS v4.0 9.5 (Critical) and surfaces it with that severity in each customer's findings dashboard. Per-environment compliance policy weighting can escalate or re-route the alert to the appropriate team inbox based on asset classification and policy thresholds.
AvailableA patched-image rebuild targeting Gardyn Home Firmware and Studio Firmware master.627 and Cloud API 2.12.2026 is available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs regression tests, and opens a pull request against the affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the device or cloud API endpoint over the network; the hard-coded key is exposed to any host that can make a network connection to the service.
- AuthenticationNot required
No credentials are needed because the iothubowner key is hard-coded in the device itself, removing authentication as a barrier entirely.
- Victim interactionNot required
The attacker does not need any action from a user or device owner; exploitation is fully remote and passive.
- Attack complexityDetail
Base exploit conditions are straightforward and condition-free, though the CVSS v4.0 vector notes an attack requirement of AT:P, meaning some specific deployment configuration or timing condition may need to be satisfied.
Blast Radius
- Reads connection information for every Gardyn Home Kit and Studio device registered in the IoT Hub, exposing device identifiers, endpoints, and credentials for the entire fleet.
- Executes arbitrary commands on any individually targeted connected Gardyn device.
- Provides a network pivot point into the local network of any affected user, allowing lateral movement to other hosts on the same segment.
- Modifies IoT Hub registry data and device state across the connected fleet, affecting device behavior and integrity at scale.
How HarborGuard Handles This
Available on HarborGuard: this Critical-severity CVE (CVSS v4.0 9.5) is matched against customer images within minutes of ingestion from the ICS-CERT advisory feed. For environments running affected Gardyn firmware or Cloud API images, a rebuilt image at the fixed versions (master.627 for firmware, 2.12.2026 for the Cloud API) is available immediately. For customers with auto-remediation enabled, HarborGuard performs the rebuild, executes the regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where compliance policy does not permit automatic remediation, HarborGuard surfaces the finding with Critical priority and routes it to the configured team inbox for manual review. Given the network-accessible, no-authentication nature of this vulnerability, teams should treat isolation of affected devices (via network policy or egress filtering to IoT Hub endpoints) as a compensating control until the patched image is deployed.
Fix available
- Gardyn / Gardyn Home Firmware< master.627 (from 0)
- Gardyn / Gardyn Studio Firmware< master.627 (from 0)
- Gardyn / Gardyn Cloud API< 2.12.2026 (from 0)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L