Skip to content

MichaelAdamGroberman/CVE-2025-1242

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
CVE-2025-1242.md
CVE-2025-1242.md
 
 
LEGAL_DISCLAIMER.md
LEGAL_DISCLAIMER.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03 | All CVEs | Case Repository

Gr0m-003: iothubowner Key Exposure

Classification

  • ID: Gr0m-003
  • CVSS 3.1: 9.1 (Critical)
  • Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
  • CWE: CWE-798 (Use of Hard-coded Credentials)
  • Status: Key reused after hub migration

Summary

The Azure IoT Hub administrative credential (iothubowner) was exposed for 5+ years via multiple vectors. The vendor migrated to a new hub but reused the same key, leaving devices using the shared credentials vulnerable.

Exposure Window

May 2019 - Present (5+ years)

Compromised Credential

HostName=[REDACTED].azure-devices.net
SharedAccessKeyName=iothubowner
SharedAccessKey=[REDACTED]

Critical Finding

The vendor migrated from an earlier IoT Hub to the current hub but reused the same shared access key. Anyone who captured the credential during the 5-year exposure window retains access.

The vendor stated to CISA that no access logging existed on the affected endpoints during the exposure window. The vendor's public security page is at https://mygardyn.com/security/.

Exposure Vectors

Endpoint details removed — Specific API paths and field names have been removed from this public disclosure to reduce attacker enablement.

  1. Unauthenticated device provisioning endpoint returned administrative credential (now removed)
  2. Authenticated device claim endpoint returns administrative credential
  3. Mobile app Hermes bytecode
  4. Device firmware
  5. Unauthenticated user enumeration endpoint returned administrative credential in every user record (CVE-2026-28766)

Why This Is Root Cause

This single credential is the root enabler for multiple critical findings including remote code execution, fleet-wide device control, lateral movement to home networks, and mass credential extraction.

Attack chain mapping removed — Specific finding-to-capability mappings have been removed from this public disclosure to reduce attacker enablement.

Without this key, none of the critical attack chains work.

Impact

Anyone with this key has full administrative access to:

  • 138,160+ registered devices
  • All device twins and configurations
  • Direct method invocation (RCE)
  • Cloud-to-device messaging

Remediation

  1. Rotate the iothubowner key immediately
  2. Generate new per-device credentials
  3. Push OTA update with new credentials
  4. Audit logs for unauthorized access
  5. Implement key rotation schedule
  6. Set up monitoring and alerting

Researcher: Michael Groberman — Gr0m Contact: [email protected] · LinkedIn

About

CVE-2025-1242: Hardcoded iothubowner Connection String — Gardyn Home Kit (ICSA-26-055-03)

www.cisa.gov/news-events/ics-advisories/icsa-26-055-03

Topics

cve iot-security security-research cisa azure-iot-hub vulnerability-disclosure hardcoded-credentials coordinated-disclosure gardyn ics-advisory icsa-26-055-03 vu653116 cve-2025-1242 cwe-798

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors