Critical Vulnerabilities in Gardyn Home Kit Allow Remote Device Takeover
Take action: If you are using Gardyn devices, time to update quickly. It should be fairly easy. Treat smart home and IoT devices as potential entry points into your network. Keep them isolated from access from the internet and on a separate network. Always change default passwords and ensure automatic updates.
Learn More
CISA and Gardyn report four security vulnerabilities in its Home Kit ecosystem, affecting firmware, mobile applications, and cloud APIs. These flaws allow unauthenticated attackers to hijack smart gardening devices, access sensitive user data, and move laterally through the cloud environment.
Vulnerabilities summary:
- CVE-2025-29631 (CVSS score 9.1) - An OS command injection vulnerability caused by improper neutralization of special elements in system calls. Attackers can send unsanitized input to vulnerable methods to run arbitrary operating system commands on the target device.
- CVE-2025-1242 (CVSS score 9.1) - Use of hard-coded credentials that attackers can extract through API responses or by reverse engineering the mobile app and firmware. This flaw grants full administrative access to the Gardyn IoT Hub, exposing all connected devices to malicious control.
- CVE-2025-29628 (CVSS score 8.3) - Cleartext transmission of sensitive information where Azure IoT Hub connection strings are sent over insecure HTTP. Attackers can use man-in-the-middle techniques to intercept these strings and capture device credentials to take control of the home kit.
- CVE-2025-29629 (CVSS score 8.3) - Use of weak default credentials for Secure Shell (SSH) access on the edge devices. This allows attackers to gain unauthorized access to any Gardyn Home Kit exposed to the network by using factory-set login details.
Because the platform manages devices through a centralized cloud, a breach of one component lets attackers pivot to other devices in the Gardyn environment. The following data items are at risk of exposure:
- Azure IoT Hub connection strings
- Administrative credentials
- Device operational data
- User account information
- Operating system access via SSH
The vulnerabilities affect Gardyn Home Kit firmware versions prior to master.619 and mobile application versions earlier than 2.11.0. The Gardyn Home Kit Cloud API is also affected in versions prior to 2.12.2026.
Gardyn released updates to patch these flaws and recommends users update their mobile app to version 2.11.0 or later immediately. Devices must have active network connectivity to automatically download and install firmware version master.619.
Users can verify their current versions within the app settings and should refer to the Gardyn security page for additional guidance. CISA also suggests isolating these devices from the public internet and using a VPN for any necessary remote access.
