CVE-2025-29631CRITICAL 9.8EPSS p76.5%

CVE-2025-29631CVE-2025-29631

Description

Gardyn Home Kit firmware before master.619, Home Kit Mobile Application before 2.11.0, and Home Kit Cloud API before 2.12.2026 allow command injection through vulnerable methods that do not sanitize input before passing content to the operating system for execution. The vulnerability may allow an attacker to execute arbitrary operating system commands on a target Home Kit.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.86% probability of exploitation · percentile 76.5% · 2026-06-19T12:03:05Z
Published2025-07-25
Last modified2026-04-15

Underlying weaknesses· 2

CWE-78CWE-94

References

  1. https://github.com/mselbrede/gardyn/blob/main/CVE-2025-29628_CVE-2025-29631.md
  2. https://mygardyn.com/blog/security-update/
  3. https://www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-29629
CVE
CVE-2025-29628
CVE
CVE-2025-1242
CVE
CVE-2025-37162
CVE
CVE-2026-45431
CVE
CVE-2025-32107
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.