Summary
Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment.
The following versions of Gardyn Home Kit are affected:
- Home Kit Firmware
- Gardyn Home Kit Mobile Application <2.11.0 (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631, CVE-2025-1242)
- Gardyn Home Kit Cloud API <2.12.2026 (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631, CVE-2025-1242)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 9.1 | Gardyn | Gardyn Home Kit | Cleartext Transmission of Sensitive Information, Use of Default Credentials, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Use of Hard-coded Credentials |
Background
- Critical Infrastructure Sectors: Food and Agriculture
- Countries/Areas Deployed: United States
- Company Headquarters Location: United States
Vulnerabilities
CVE-2025-29628
A Gardyn Azure IoT Hub connection string is downloaded over an insecure HTTP connection leaving the string vulnerable to interception and modification through a Man-in-the-Middle attack. This may result in the attacker capturing device credentials or taking control of vulnerable home kits.
Affected Products
Gardyn Home Kit
Gardyn
Gardyn Home Kit Firmware: <master.619, Gardyn Gardyn Home Kit Mobile Application: <2.11.0, Gardyn Gardyn Home Kit Cloud API: <2.12.2026
known_affected
Remediations
Mitigation
Gardyn states that the relevant fixes are included in the latest version of the Gardyn mobile application. Users are required to run a supported version of the Gardyn App on their phone in order to access Gardyn services and devices.
Mitigation
The current versions of the Gardyn App and the Gardyn Home firmware can be checked in the Gardyn App.
Mitigation
For all vulnerabilities, Gardyn recommends users ensure their home kit devices are upgraded to firmware master.619 or later. Gardyn also recommends that users update their mobile application to the most recent version. Gardyn requests that users ensure their home kits have network connectivity in order to automatically download needed firmware updates. Unconnected devices will automatically update when configured with a working Internet connection.
Mitigation
Further information on Gardyn security can be found here: https://mygardyn.com/security/
Mitigation
Further customer support can be obtained from Gardyn at: support@mygardyn.com
Relevant CWE: CWE-319 Cleartext Transmission of Sensitive Information
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 8.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
CVE-2025-29629
The Gardyn Home Kit uses weak default credentials for secure shell access. This may result in attackers gaining access to exposed Gardyn Home Kits.
Affected Products
Gardyn Home Kit
Read the original article: