Post

CVE-2026-13768 - Gardyn IoT Hub Use of Hard-coded Credentials

CVE-2026-13768 - Gardyn IoT Hub Use of Hard-coded Credentials

CVE-2026-13768 - Gardyn IoT Hub Use of Hard-coded Credentials

🚨 Attention: Gardyn devices expose a privileged iothubowner key. Access to this key allows a malicious user to invoke an IoTHub Registry Manager function, which returns connection information for all Gardyn Home Kit and Studio devices. This vulnerability also enables the execution of arbitrary commands on connected devices and may allow attackers to pivot to other devices on the user’s network.

Affected Products

The following products are affected by the CVE-2026-13768 vulnerability. Although cvefeed.io is aware of the exact versions of the affected products, this information is not represented in the table below. No affected products have been recorded yet.

Public Exploits

We scan GitHub repositories to detect new proof-of-concept exploits. Below is a collection of public exploits and proof-of-concepts published on GitHub, sorted by the most recently updated:

  • CISA Advisory ICSA-26-183-03 - Gardyn IoT Hub - 3 CVEs (companion to ICSA-26-055-03)
    • Associated keywords: azure-iot, CISA, coordinated-disclosure, CVE, gardyn, iot-security, remote-code-execution, security-research.
    • Updated: 2 hours, 21 minutes ago.
    • Born at: July 2, 2026, 8:18 p.m.
  • Another public proof-of-concept explicitly details CVE-2026-13768: Privileged iothubowner IoT Hub credential – fleet enumeration, device RCE, home-network pivot – Gardyn (ICSA-26-183-03).
    • Keywords for this entry: azure-iot-hub, CISA, CVE, gardyn, hardcoded-credentials, iot-security, remote-code-execution, security-research, vulnerability-disclosure.
    • Updated: 2 hours, 21 minutes ago.
    • Born at: July 2, 2026, 7:38 p.m.

Results are limited to the first 15 repositories due to potential performance issues.

For more details, Read full article.

This post is licensed under CC BY 4.0 by the author.