This vulnerability involves the use of hard-coded credentials (CWE-798) in the Gardyn Home Kit product. Attackers can extract these credentials through multiple vectors including API responses, reverse engineering of the mobile application, and firmware analysis. With these credentials, attackers gain full administrative access to the IoT Hub, which controls connected devices. The CVSS 4.0 score of 9.3 reflects network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity. The product is not a cloud service, and no patch or vendor advisory is currently available.

Successful exploitation results in full administrative access to the Gardyn IoT Hub, exposing all connected devices to potential malicious control. This compromises the confidentiality and integrity of the system and connected IoT devices. Given the critical CVSS score, the impact is severe, potentially allowing attackers to manipulate device operations or disrupt service.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should limit exposure of the affected devices to untrusted networks and monitor for suspicious activity. Avoid reverse engineering or exposing device firmware and application APIs to unauthorized parties. Follow vendor communications closely for updates on patches or mitigations.