The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published Update A to ICS Advisory ICSA-26-055-03, dramatically expanding the known attack surface of Gardyn Home Kit systems.
Began as a February 2026 disclosure of four vulnerabilities has now grown to ten cataloged flaws three rated Critical with a CVSS score of 9.3 across the Gardyn firmware, mobile application, and cloud API infrastructure.
Security researcher Michael Groberman originally identified and reported all vulnerabilities to CISA.
His investigation uncovered that 134,215 user records, including names, email addresses, phone numbers, and partial credit card numbers, were accessible behind a single unauthenticated API call, with no credentials required.
Critical Gardyn Vulnerability
The advisory impacts multiple components of the Gardyn ecosystem. The Gardyn Mobile Application (versions before 2.11.0), Gardyn Cloud API (versions before 2.12.2026), and both Gardyn Home Firmware and Gardyn Studio Firmware are all listed as vulnerable.
The newly expanded CVE list includes the following key identifiers:
- CVE-2025-1242 — Administrative credentials extractable via API responses, mobile app, or firmware reverse engineering, granting full access to the Gardyn IoT Hub
- CVE-2025-10681 — Hardcoded storage credentials in the mobile app and device firmware with excessive, non-expiring permissions
- CVE-2026-28766 — A specific
/api/usersendpoint exposing all registered user account data with zero authentication required - CVE-2026-32662 — Development and test API endpoints present in production environments, mirroring full production functionality
- CVE-2025-29628 — Azure IoT Hub connection string downloaded over insecure HTTP, enabling potential man-in-the-middle (MITM) attacks
- CVE-2025-29631 — OS command injection due to improper input sanitization before content is passed to the operating system
Additional newly identified flaws include authorization bypass, allowing attackers to pivot between user profiles, and unauthenticated access to administrative device management endpoints.
An unauthenticated remote attacker can extract admin credentials, inject OS-level commands, access all user data freely, and then pivot laterally into the broader Gardyn cloud infrastructure or other devices sharing the same network.
CISA classifies this threat under the Food and Agriculture critical infrastructure sector, reflecting real-world deployment risks for both home and commercial users.
Despite the critical severity ratings, CISA confirmed no active exploitation has been observed in the wild as of the advisory date.
Mitigation Steps
Gardyn has already remediated all identified vulnerabilities and coordinated fixes with CISA before public disclosure. CISA still urges all users to take the following immediate steps:
- Update the Gardyn Mobile App to version 2.11.0 or later
- Upgrade device firmware to master. 622 or later
- Never expose control system devices directly to the internet
- Isolate smart devices behind segmented networks and robust firewalls
- Use updated Virtual Private Networks (VPNs) for any required remote access
- Monitor all network traffic linked to smart garden devices for anomalous behavior
Users who detect suspicious activity should immediately follow internal incident response protocols and report findings directly to CISA for further investigation.
No Comment! Be the first one.