Rooting Out Risk: CISA Warns of Critical 9.1 Severity Flaws in Gardyn Smart Gardening Systems
Ddos 
Smart gardening systems are designed to bring the serenity of nature indoors, but a series of critical security vulnerabilities in a popular “plug-and-play” hydroponic kit could be inviting digital intruders into your living room. The Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-alert advisory regarding multiple vulnerabilities in the Gardyn Home Kit, an AI-powered indoor gardening system.
The flaws impact the system’s firmware, mobile application, and cloud API, creating a multi-layered attack surface that could allow hackers to move far beyond just managing your plants.
According to the CISA summary, “Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment”.
Researchers identified four primary vulnerabilities that expose the system to complete takeover:
- Insecure Credential Exchange (CVE-2025-29628): The system downloads critical connection strings over an insecure HTTP connection. “A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection leaving the string vulnerable to interception and modification through a Man-in-the-Middle attack,” the advisory warns. This could allow an attacker to capture device credentials or seize control of home kits.
- Weak Shell Access (CVE-2025-29629): The Home Kit utilizes weak default credentials for Secure Shell (SSH) access, potentially allowing attackers to gain direct entry into the device’s operating system.
- Command Injection (CVE-2025-29631): With a critical CVSS score of 9.1, this flaw allows for the execution of arbitrary code. The device is “vulnerable to command injection through vulnerable methods that do not sanitize input before passing content to the operating system,” which could lead to an attacker executing unauthorized OS commands on a target kit.
- API Credential Leakage (CVE-2025-1242): Administrative credentials can be extracted through various methods, including application API responses and reverse engineering. “The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control”.
Gardyn has moved quickly to address these issues. The company states that “relevant fixes are included in the latest version of the Gardyn mobile application”. Users are required to run a supported version of the Gardyn App (version 2.11.0 or newer) on their phones to access services safely.
For the hardware itself, Gardyn recommends that users “ensure their home kit devices are upgraded to firmware master.619 or later”.
Because the system relies on cloud connectivity for security, “Gardyn requests that users ensure their home kits have network connectivity in order to automatically download needed firmware updates”. Unconnected devices will remain vulnerable until they are reconfigured with a working internet connection to receive the patch.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
