iot security

A newly documented vulnerability affecting the Gardyn Home Kit family of smart indoor gardens puts a critical piece of device authentication — the Azure IoT Hub connection string — at risk by delivering it over an insecure HTTP channel, enabling straightforward Man‑in‑the‑Middle (MITM)...

EnOcean SmartServer IoT installations worldwide are being urged to update immediately after CISA published an advisory on February 19, 2026 identifying two serious vulnerabilities—CVE-2026-20761 and CVE-2026-22885—that affect SmartServer IoT releases up to and including 4.60.009. These flaws...

The problem turned out to be embarrassingly domestic: noisy, streaming smart‑TVs behaving like overenthusiastic network clients were triggering a series of router log entries — flagged as “Possible DNS rebind attack” — and causing intermittent Wi‑Fi dropouts across an otherwise healthy home...

The Azure IoT ecosystem has a new critical warning that demands immediate attention from IoT operators, cloud teams, and security practitioners: CVE-2024-21646 is a remotely exploitable vulnerability in the Azure uAMQP C library that can lead to remote code execution (RCE) on devices and...

Microsoft has assigned CVE‑2026‑21528 to an information disclosure vulnerability in Azure IoT Explorer — a client tool used to inspect and interact with devices attached to IoT Hubs — but the public advisory provides only a terse listing and a vendor “confidence” metadata entry rather than a...

A high-severity asuthorization bypass affecting Hubitat Elevation hubs — tracked as CVE-2026-1201 — was published in a CISA coordination notice on January 22, 2026; the issue allows a remote, authenticated user to escalate control beyond their authorized scope by manipulating client-side request...

YoSmart’s YoLink ecosystem has been the subject of a coordinated security disclosure: multiple vulnerabilities affecting the YoSmart cloud server, YoLink Smart Hub firmware, and the YoLink mobile application were reported and—per the vendor and independent researchers—have been addressed through...

CISA has added a high‑risk Sierra Wireless AirLink vulnerability, CVE‑2018‑4063, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation — a move that forces federal agencies to accelerate remediation under BOD 22‑01 and should prompt immediate action by any...

Microsoft’s Azure platform successfully detected and neutralized a record-breaking distributed denial-of-service (DDoS) attack in late October, a multi-vector assault that peaked at 15.72 terabits per second (Tbps) and nearly 3.64 billion packets per second (pps) — the largest single cloud-based...

The recently published advisory for the Shelly Pro 4PM — tracked as CVE‑2025‑11243 — warns that a malformed JSON request to the device’s RPC endpoints can cause the internal JSON parser to over‑allocate memory, trigger a reboot, and produce a denial‑of‑service (DoS) condition; CISA’s advisory...

Brightpick Mission Control’s control-plane interfaces expose a cluster of high-risk flaws that let unauthenticated actors read secrets and directly manipulate robot orchestration — a dangerous combination for warehouses relying on autonomous picking fleets. Overview Brightpick AI’s warehouse...

CloudEdge users and administrators should treat a freshly publicized vulnerability affecting the CloudEdge mobile app and CloudEdge‑managed cameras as an urgent operational risk: the flaw permits remote attackers to harvest credentials and camera connection keys by abusing MQTT topic handling...

Two newly disclosed, high‑severity flaws in the Viessmann Vitogate 300 — tracked as CVE‑2025‑9494 and CVE‑2025‑9495 — expose widely deployed gateway devices to OS command injection and client‑side authentication bypass vulnerabilities, creating realistic paths to full device compromise for...

Daikin’s Security Gateway is affected by a critical pre‑authentication password‑reset flaw that lets an unauthenticated attacker reset device credentials to the factory default and take control of the appliance and any connected systems — the issue is tracked as CVE‑2025‑10127 and rated highly...

CISA’s September additions to the Known Exploited Vulnerabilities (KEV) Catalog — the TP‑Link TL‑WA855RE missing‑authentication flaw (CVE‑2020‑24363) and the WhatsApp incorrect‑authorization weakness (CVE‑2025‑55177) — are a reminder that adversaries continue to exploit both legacy IoT devices...

Samsung and Microsoft have agreed to bring Microsoft Copilot — the company’s generative AI assistant — to Samsung’s 2025 TVs and Smart Monitors, folding natural‑language AI into large displays via Samsung’s new Vision AI framework and a Copilot web experience built into the screens. This move...

Borderless CS’s launch of IT Hardening Expert Services arrives at a moment when simple misconfigurations and unmaintained defaults are repeatedly exposed as the weakest links in enterprise security, and the firm is pitching a pragmatic, standards-aligned program to shrink attack surfaces across...

A critical security vulnerability has emerged in the popular Dreamehome and MOVAhome mobile applications, sending ripples through the smart device ecosystem and raising urgent questions about the security of connected home technologies. Classified under CVE-2025-8393, this flaw—rooted in...

Federal agencies and security professionals are once again on high alert as the Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, underscoring a persistent and evolving threat landscape. The recent...

For organizations safeguarding the integrity of seismic monitoring, the Güralp FMUS Series has historically stood as a trusted solution—a set of devices entrenched worldwide in critical infrastructure and research networks. Yet, recent revelations about a critical security flaw in all versions...