GARDYN’S smart indoor hydroponic gardens were found to have four vulnerabilities disclosed by CISA, including two critical flaws and two high-severity issues, potentially enabling remote hacking without user interaction.
One critical flaw, CVE-2025-29631, allows command injection to run arbitrary OS commands on the device, while CVE-2025-1242 involves hardcoded admin credentials that could give an attacker full control of the Gardyn IoT Hub; the high-severity flaws, CVE-2025-29628 and CVE-2025-29629, relate to cleartext transmission of sensitive data and the use of default credentials for SSH access.
In its advisory, Gardyn announced patches for Gardyn Home and Gardyn Studio and noted that mobile app and firmware updates had been released, with firmware updates expected to be installed automatically where an internet connection is available. The researcher credited by CISA, Michael Groberman, estimated about 138,000 devices were affected, and Groberman indicated the vulnerabilities could be exploited remotely from the internet without authentication.
Gardyn said there was no evidence of in-the-wild exploitation and that login credentials and payment card data were not exposed. The findings build on disclosures by Kristof Mattei, with Groberman reporting expanded results to the vendor in October 2025.