Gardyn Home Kit

Plan PatchCVSS 9.1ICS-CERT ICSA-26-055-03Feb 24, 2026

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Gardyn Home Kit firmware, mobile application, and cloud API contain multiple vulnerabilities that allow unauthenticated attackers to access and control edge devices, extract user and device information from the cloud, and pivot between devices in the Gardyn environment. Affected products include Home Kit Firmware below master.619, Mobile Application below version 2.11.0, and Cloud API below version 2.12.2026. The vulnerabilities include cleartext communications (CWE-319), hardcoded credentials (CWE-1392), OS command injection (CWE-78), and embedded plaintext secrets (CWE-798).

What this means

What could happen

An attacker could remotely access and control your Gardyn Home Kit without providing credentials, potentially harvesting user data from the cloud service or using your device as a foothold to attack other connected equipment in your home network.

Who's at risk

This affects anyone using a Gardyn Home Kit automated growing device at home, particularly if the device is network-connected for remote access or cloud synchronization. The vulnerability also impacts users whose account and device data is stored in Gardyn's cloud service.

How it could be exploited

An attacker on the internet could send requests to the Gardyn Cloud API or directly to your Home Kit firmware without authentication. The vulnerabilities include unencrypted communications (CWE-319), hardcoded credentials (CWE-798), and command injection (CWE-78), allowing the attacker to enumerate devices, extract user information, alter device settings, or inject commands into the system.

Prerequisites

Internet-facing Gardyn Home Kit or Cloud API access
No authentication credentials required
Device running vulnerable firmware version below master.619
Mobile app version below 2.11.0

remotely exploitableno authentication requiredlow complexityaffects connected home device and associated cloud dataunauthenticated access to user information

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Public Proof-of-Concept (PoC) on GitHub (3 repositories)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Home Kit Firmware: <master.619<master.619master.619+

Gardyn Home Kit Mobile Application: <2.11.0<2.11.02.11.0+

Gardyn Home Kit Cloud API: <2.12.2026<2.12.20262.12.2026+

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXEnsure Home Kit device has persistent network connectivity to enable automatic firmware updates

HARDENINGRestrict network access to your Gardyn Home Kit to your home network only; use firewall rules to block internet-facing access if possible

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Gardyn Home Kit firmware to master.619 or later via the Gardyn mobile application

HOTFIXUpdate Gardyn mobile application to version 2.11.0 or later from your phone's app store

CVEs (4)

CVE-2025-29628 CVE-2025-29629 CVE-2025-29631 CVE-2025-1242

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0af293a7-3613-40cd-93d3-4a339a7d0efc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.