Gardyn smart indoor hydroponic gardens were until recently affected by potentially serious vulnerabilities that could have been exploited for remote hacking, the cybersecurity agency CISA said this week.
Gardyn smart gardens enable users to cultivate fresh vegetables, herbs, and greens indoors, using automated LED lighting, nutrient-rich water circulation, and AI-driven monitoring for effortless, year-round homegrown produce.
According to CISA, Gardyn products were affected by two critical and two high-severity vulnerabilities.
One of the critical flaws, tracked as CVE-2025-29631, is a command injection issue that can be exploited to execute arbitrary OS commands on the targeted device.
The second critical vulnerability, CVE-2025-1242, is related to the exposure of hardcoded admin credentials that can be used to gain full control of the Gardyn IoT Hub.
The high-severity vulnerabilities, CVE-2025-29628 and CVE-2025-29629, are related to the cleartext transmission of sensitive information by the Azure IoT Hub (exposure to MitM attacks) and the use of default credentials that allow SSH access.
In a security advisory published this week Gardyn informed customers that it has released patches for Gardyn Home and Gardyn Studio. The fixes include mobile app updates and smart garden firmware updates, which should have already been installed by most users considering that firmware is automatically updated when an internet connection is available.
The vendor said there is no evidence of in-the-wild exploitation and pointed out that sensitive information such as login credentials and payment card details were not exposed.
Michael Groberman, the cybersecurity researcher credited by CISA for reporting the vulnerabilities, has published his own advisories, estimating that roughly 138,000 devices were affected.
Groberman told SecurityWeek that the critical-severity vulnerabilities could have been exploited remotely from the internet without authentication or user interaction.
The researcher explained that the cloud-side vulnerabilities target the Gardyn API and the Azure IoT Hub infrastructure, which are internet-facing.
In a theoretical attack scenario described by the researcher, “an attacker could extract the hardcoded administrative credentials from the mobile app or firmware, gaining full administrative access to the IoT Hub. From there they could interact with connected devices across the customer base and execute arbitrary OS commands on home kits via the command injection flaw.”
In its advisory, Gardyn confirmed that an attacker could have exploited the vulnerabilities to take remote control of a device, including to alter the lighting or watering of plants. Attackers could have also gained access to plant photos and limited personal information such as name, address, email address, and phone number.
Groberman contradicted some of the vendor’s claims, saying that the last four digits of the credit cards used to purchase a subscription were also exposed—he verified this on his own account.
Groberman told SecurityWeek that his research builds upon the findings of another researcher, Kristof Mattei, who disclosed his findings in the summer of 2025. At the time of Mattei’s disclosure, the researcher said the vendor had taken some steps to address the vulnerabilities, but critical issues had remained unpatched.
Groberman said he reported his expanded findings to the vendor in October 2025.
*updated to say that Groberman also found the exposure of partial payment card information
Related: Cyber Insights 2026: The Ongoing Fight to Secure Industrial Control Systems
Related: 3 Threat Groups Started Targeting ICS/OT in 2025: Dragos
Related: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix Contact
