CISA warns Gardyn smart garden flaws could let attackers take over devices remotely

CISA has warned that critical vulnerabilities in Gardyn Home Kit systems could let unauthenticated attackers remotely control connected smart garden devices and access sensitive cloud data. The advisory says successful exploitation could also let attackers move laterally to other devices inside the same Gardyn cloud environment.

The issues affect parts of the Gardyn Home and Gardyn Studio ecosystem, including device firmware, the mobile app, and the cloud API. CISA’s updated advisory says the flaws carry severity scores as high as 9.3 and include hardcoded credentials, weak default credentials, command injection, exposed administrative endpoints, and missing authentication on critical functions.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

The good news is that both CISA and Gardyn say fixes are available. Gardyn says it found no evidence that attackers exploited these flaws beyond the researcher’s report, and it says patches were deployed before public disclosure.

What CISA says is at risk

According to Gardyn’s own security update, a successful attack could have allowed someone to take remote control of a Gardyn device, access plant photos, and view limited demographic information such as names, addresses, phone numbers, and email addresses. The company says it does not store payment card data on these systems.

CISA’s update expanded the advisory from the earlier disclosure and added several 2026 CVEs tied to cloud and admin functions. The newly added issues include an unauthenticated /api/users endpoint that exposed account information, an insecure user profile endpoint that allowed pivoting to other user accounts, and admin or development endpoints that should not have been reachable in production.

Researcher Michael Groberman reported the vulnerabilities to CISA. Public references tied to the advisory say Update A expanded the disclosure from four CVEs to 10, showing that the problem reached beyond local device security and into Gardyn’s broader cloud stack.

Why these vulnerabilities matter

This advisory stands out because it combines several basic weaknesses into one attack path. Some flaws expose credentials, others allow command execution, and others open sensitive API functions without proper checks. When those issues appear in the same ecosystem, attackers do not need many steps to move from initial access to full device control or data exposure.

The most serious technical issues include command injection, exposed admin credentials, hardcoded storage credentials, clear-text transmission of sensitive data, and administrative API endpoints that lacked proper authentication. CISA’s updated advisory and Gardyn’s technical list both show that the risks span the device, app, and cloud environment rather than a single isolated bug.

CISA says the affected versions include Gardyn Home firmware and Gardyn Studio firmware below the patched releases, the Gardyn mobile app before version 2.11.0, and Gardyn Cloud API versions before 2.12.2026 for the newer cloud-side flaws. Public technical references associated with the advisory list affected firmware below master.622.

Affected components and key CVEs

The table reflects details from CISA’s updated advisory, Gardyn’s security update, and public technical references tied to the disclosure.

One of the more alarming entries is CVE-2026-28766, which describes an endpoint that exposed registered Gardyn user account information without authentication. NVD lists that flaw as requiring no privileges and no user interaction, which helps explain why CISA treated the updated advisory seriously.

Another major concern is the command injection bug, CVE-2025-29631, which Gardyn says could allow arbitrary operating system commands on a target Home Kit. Combined with exposed admin or storage credentials, that kind of flaw could give an attacker a clear route to persistent control.

What Gardyn users should do now

Users should make sure their Gardyn devices are online so they can receive automatic updates. Gardyn says patches install automatically when the device connects to the internet, and it asks users to verify that the mobile app is updated to version 2.11.0 or later.

The company also tells customers to check device and app version details in the Gardyn mobile app under Settings, then Advanced. If a device has been offline, Gardyn says users should reconnect it and leave it online so the fixes can install.

CISA also recommends reducing network exposure, keeping these devices off the public internet, placing them behind firewalls, and using secure remote access methods if remote administration is necessary. It adds that organizations should review impact and risk before deploying defensive changes.

Quick mitigation checklist

• Confirm the Gardyn device is online so it can receive automatic fixes.
• Update the Gardyn mobile app to version 2.11.0 or later.
• Verify patched firmware is installed on Home and Studio devices.
• Restrict direct internet exposure for smart garden control devices.
• Place these systems behind firewalls and separate them from normal home or business networks where possible.
• Review any API integrations that may still depend on older cloud endpoints.

FAQ