Gardyn Home Kit

Act Now9.1ICS-CERT ICSA-26-055-03Feb 24, 2026

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Three critical vulnerabilities in Gardyn Home Kit allow unauthenticated users to access and control edge devices, retrieve cloud-based device information and user data without credentials, and pivot to other edge devices in the Gardyn cloud environment. The vulnerabilities affect the Home Kit Firmware (CWEs: 319, 1392, 78, 798 - including cleartext transmission, hardcoded credentials, and OS command injection), the Home Kit Mobile Application, and the Gardyn Cloud API. Successful exploitation could allow complete unauthorized control of hydroponic growing systems and unauthorized access to user account data.

What this means

What could happen

An attacker could remotely access and control your Gardyn Home Kit devices without credentials, retrieve your personal data and device information stored in Gardyn's cloud, and potentially access other connected devices in the same Gardyn account. This could allow manipulation of your hydroponic garden's growing parameters or complete system shutdown.

Who's at risk

Residential users with Gardyn Home Kit hydroponic growing systems should care about this vulnerability. The affected equipment includes the Home Kit hardware device, the mobile app used to control it, and Gardyn's cloud backend that manages device coordination and stores user data.

How it could be exploited

An attacker sends an unauthenticated request over the internet to the Gardyn cloud API or directly to the Home Kit firmware to access device controls or user data. The attack requires no valid login and can pivot from compromised devices to other equipment on your Gardyn account, all over standard network protocols.

Prerequisites

Internet-accessible Gardyn Home Kit device
Network connectivity to Gardyn cloud services
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.1)no patch available for firmwaredefault credentials riskcloud data exposure

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Home Kit Firmware: <master.619<master.619master.619 or later

Gardyn Home Kit Mobile Application: <2.11.0<2.11.02.11.0 or later

Gardyn Home Kit Cloud API: <2.12.2026<2.12.20262.12.2026 or later

Remediation & Mitigation

0/4

Do now

0/4

HOTFIXUpdate Gardyn Home Kit firmware to master.619 or later

HOTFIXUpdate Gardyn Home Kit mobile application to version 2.11.0 or later

HOTFIXUpdate Gardyn Home Kit Cloud API to version 2.12.2026 or later

HARDENINGEnsure all Gardyn Home Kit devices maintain active internet connectivity to receive automatic firmware updates

CVEs (4)

CVE-2025-29628 CVE-2025-29629 CVE-2025-29631 CVE-2025-1242

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0af293a7-3613-40cd-93d3-4a339a7d0efc