ICSA-26-055-03 · Published 2026-04-02 · View on CISA ICS-CERT ↗

Gardyn Home Kit (Update A)

CVSS 9.3 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow unauthenticated users to access and control edge devices, access cloud-based devices and user information without authentication, and pivot to other edge devices managed in the Gardyn cloud environment.

CVEs (10)

CVE-2025-29628 CVE-2025-29629 CVE-2025-29631 CVE-2025-1242 CVE-2025-10681 CVE-2026-28766 CVE-2026-25197 CVE-2026-32646 CVE-2026-28767 CVE-2026-32662

Remediations

Gardyn states that the relevant fixes are included in the latest version of the Gardyn mobile application. Users are required to run a supported version of the Gardyn App on their phone in order to access Gardyn services and devices.
The current versions of the Gardyn App and the Gardyn Home firmware can be checked in the Gardyn App.
For all vulnerabilities, Gardyn recommends users ensure their home kit and studio devices are upgraded to firmware master.622 or later. Gardyn also recommends that users update their mobile application to the most recent version. Gardyn requests that users ensure their devices have network connectivity in order to automatically download needed firmware updates. Unconnected devices will automatically update when configured with a working Internet connection.
Further information on Gardyn security can be found here: https://mygardyn.com/security/
Further customer support can be obtained from Gardyn at: [email protected]

Affected Vendors

Gardyn

Affected Products (4)

Gardyn · Gardyn Home Firmware <master.619

Gardyn · Gardyn Studio Firmware <master.619

Gardyn · Gardyn Mobile Application <2.11.0

Gardyn · Gardyn Cloud API <2.12.2026

Affected Sectors

Food and Agriculture

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more