CVE-2025-29628CRITICAL 9.4EPSS p18.2%

CVE-2025-29628CVE-2025-29628

Description

A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection in Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 leaving the string vulnerable to interception and modification through a Man-in-the-Middle attack. This may result in the attacker capturing device credentials or taking control of vulnerable home kits.

Scoring

CVSS 3.19.4 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS0.27% probability of exploitation · percentile 18.2% · 2026-06-19T12:03:05Z
Published2025-07-25
Last modified2026-04-15

Underlying weaknesses· 3

CWE-924CWE-77CWE-200

References

  1. https://github.com/mselbrede/gardyn/blob/main/CVE-2025-29628_CVE-2025-29631.md
  2. https://mygardyn.com/blog/security-update/
  3. https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

3

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live
WeaknessImproper Enforcement of Message Integrity During Transmission in a Communication Channelcwe-9240%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-29629
CVE
CVE-2025-29631
CVE
CVE-2025-1242
CVE
CVE-2026-24789
CVE
CVE-2026-21515
CVE
CVE-2026-24790
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.