Critical Gardyn Smart Gardens Vulnerabilities Let Attackers Control Devices Remotely

A newly updated advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has disclosed multiple critical vulnerabilities in Gardyn Home Kit smart gardening systems that could allow attackers to remotely take control of devices.

According to the April 2026 advisory update, the vulnerabilities carry a high CVSS score of 9.3, indicating severe risk.

Successful exploitation could enable unauthenticated attackers to fully compromise edge devices and gain access to sensitive user data stored in the Gardyn cloud environment.

Security researcher Michael Groberman initially identified and reported the vulnerabilities, which have now been formally documented by CISA in Update A of its advisory.

Critical Vulnerability Details

The advisory expands on an earlier February release and introduces several newly tracked CVEs, including:

• CVE-2025-1242
• CVE-2025-10681
• CVE-2026-28766
• CVE-2026-32662

These flaws impact multiple components of the Gardyn ecosystem:

• Gardyn Mobile Application (versions before 2.11.0)
• Gardyn Cloud API (versions before 2.12.2026)
• Gardyn Home Firmware and Gardyn Studio Firmware

The vulnerabilities stem from fundamental security weaknesses in authentication, authorization, and data handling mechanisms.

Key technical issues include:

• OS command injection due to improper input sanitization
• Transmission of sensitive data in clear text
• Use of hard-coded and default credentials
• Missing authentication for critical device and cloud functions
• Authorization bypass via user-controlled key manipulation
• Debug code left active in production environments

These combined flaws create a dangerous attack surface, allowing threat actors to compromise devices without prior authentication.

CISA warns that a compromised Gardyn device could serve as an entry point into broader networks.

Attackers may use the infected system to pivot into the Gardyn cloud infrastructure or other connected devices on the same network.

This significantly increases the risk, especially in environments where smart devices are integrated into larger home or enterprise networks.

Despite the severity, CISA has stated that there is currently no evidence of active exploitation in the wild.

CISA urges users and organizations to take immediate action to reduce exposure.

Recommended measures include:

• Update the Gardyn Mobile App to version 2.11.0 or later
• Avoid exposing control systems directly to the internet
• Place devices behind secure firewalls and segmented networks
• Use secure remote access methods such as VPNs
• Monitor systems for unusual or suspicious activity

Users are also advised to conduct risk assessments before implementing changes to prevent operational disruptions.

Any signs of compromise or suspicious behavior should be reported promptly, and incident response procedures should be initiated immediately.

As smart agriculture and IoT devices continue to expand, this advisory highlights the growing importance of securing connected systems against evolving cyber threats.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Critical Gardyn Smart Gardens Vulnerabilities Let Attackers Control Devices Remotely appeared first on Cyber Security News.