ICS/OT Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking CISA has released an advisory to warn about four vulnerabilities discovered by a researcher in Gardyn Home and Gardyn Studio. By Eduard Kovacs | February 27, 2026 (2:38 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Gardyn smart indoor hydroponic gardens were until recently affected by potentially serious vulnerabilities that could have been exploited for remote hacking, the cybersecurity agency CISA said this week. Gardyn smart gardens enable users to cultivate fresh vegetables, herbs, and greens indoors, using automated LED lighting, nutrient-rich water circulation, and AI-driven monitoring for effortless, year-round homegrown produce. According to CISA , Gardyn products were affected by two critical and two high-severity vulnerabilities. One of the critical flaws, tracked as CVE-2025-29631, is a command injection issue that can be exploited to execute arbitrary OS commands on the targeted device. The second critical vulnerability, CVE-2025-1242, is related to the exposure of hardcoded admin credentials that can be used to gain full control of the Gardyn IoT Hub. The high-severity vulnerabilities, CVE-2025-29628 and CVE-2025-29629, are related to the cleartext transmission of sensitive information by the Azure IoT Hub (exposure to MitM attacks) and the use of default credentials that allow SSH access. Advertisement. Scroll to continue reading. In a security advisory published this week Gardyn informed customers that it has released patches for Gardyn Home and Gardyn Studio. The fixes include mobile app updates and smart garden firmware updates, which should have already been installed by most users considering that firmware is automatically updated when an internet connection is available. The vendor said there is no evidence of in-the-wild exploitation and pointed out that sensitive information such as login credentials and payment card details were not exposed. Michael Groberman, the cybersecurity researcher credited by CISA for reporting the vulnerabilities, has published his own advisories , estimating that roughly 138,000 devices were affected. Groberman told SecurityWeek that the critical-severity vulnerabilities could have been exploited remotely from the internet without authentication or user interaction. The researcher explained that the cloud-side vulnerabilities target the Gardyn API and the Azure IoT Hub infrastructure, which are internet-facing. In a theoretical attack scenario described by the researcher, “an attacker could extract the hardcoded administrative credentials from the mobile app or firmware, gaining full administrative access to the IoT Hub. From there they could interact with connected devices across the customer base and execute arbitrary OS commands on home kits via the command injection flaw.” In its advisory, Gardyn confirmed that an attacker could have exploited the vulnerabilities to take remote control of a device, including to alter the lighting or watering of plants. Attackers could have also gained access to plant photos and limited personal information such as name, address, email address, and phone number. Groberman told SecurityWeek that his research builds upon the findings of another researcher, Kristof Mattei, who disclosed his findings in the summer of 2025. At the time of Mattei’s disclosure, the researcher said the vendor had taken some steps to address the vulnerabilities, but critical issues had remained unpatched. Groberman said he reported his expanded findings to the vendor in October 2025. Related : Cyber Insights 2026: The Ongoing Fight to Secure Industrial Control Systems Related : 3 Threat Groups Started Targeting ICS/OT in 2025: Dragos Related : ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix Contact Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is the managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Google Disrupts Chinese Hackers Targeting Telecoms, Governments Medical Device Maker UFP Technologies Hit by Cyberattack SecurityWeek Report: 426 Cybersecurity M&A Deals Announced in 2025 Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak Site Claude’s New AI Vulnerability Scanner Sends Cybersecurity Shares Plunging VMware Aria Operations Vulnerability Could Allow Remote Code Execution Taiwan Security Firm Confirms Flaw Flagged by CISA Likely Exploited by Chinese APTs US Healthcare Diagnostic Firm Says 140,000 Affected by Data Breach Latest News Apple iPhone and iPad Cleared for Classified NATO Use Four Risks Boards Cannot Treat as Background Noise Claude Code Flaws Exposed Developer Devices to Silent Hacking Gambit Security Emerges From Stealth With $61 Million in Funding Zyxel Patches Critical Vulnerability in Many Device Models US Sanctions Russian Exploit Broker Operation Zero Trend Micro Patches Critical Apex One Vulnerabilities Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move BreachRx has named Young-Sae Song as Chief Marketing Officer. Titania has appointed Andrew Woodford as Chief Technology Officer. Menlo Security has named Bill Robbins as Chief Executive Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email