Critical Vulnerabilities Exposed Gardyn Smart Gardens to Remote Hacking Attacks
Critical Vulnerabilities in Gardyn Smart Indoor Hydroponic Gardens
A series of critical vulnerabilities in Gardyn smart indoor hydroponic gardens could have been exploited by hackers to gain remote access and control over the devices, according to a recent security advisory.
Vulnerabilities Identified
The vulnerabilities, which were identified by cybersecurity researcher Michael Groberman and reported to the vendor in October 2025, include a command injection issue and the exposure of hardcoded admin credentials.
Gardyn smart gardens, which allow users to cultivate fresh produce indoors using automated LED lighting and AI-driven monitoring, were affected by two critical and two high-severity vulnerabilities.
Critical Flaws
The critical flaws, tracked as CVE-2025-29631 and CVE-2025-1242, could have been exploited to execute arbitrary OS commands on the targeted device and gain full control of the Gardyn IoT Hub, respectively.
High-Severity Vulnerabilities
The high-severity vulnerabilities, CVE-2025-29628 and CVE-2025-29629, relate to the cleartext transmission of sensitive information by the Azure IoT Hub and the use of default credentials that allow SSH access.
An attacker could have exploited these vulnerabilities to intercept sensitive information and gain access to the devices.
Groberman, who estimated that around 138,000 devices were affected, explained that the critical-severity vulnerabilities could have been exploited remotely from the internet without authentication or user interaction.
Potential Attack Scenario
The researcher described a theoretical attack scenario in which an attacker could extract the hardcoded administrative credentials from the mobile app or firmware, gaining full administrative access to the IoT Hub and allowing them to interact with connected devices across the customer base.
Vendor Response
In a security advisory, Gardyn confirmed that an attacker could have exploited the vulnerabilities to take remote control of a device, alter the lighting or watering of plants, and gain access to plant photos and limited personal information such as name, address, and phone number.
The vendor stated that it has released patches for the vulnerabilities, including mobile app updates and smart garden firmware updates, which should have already been installed by most users.
Importance of Securing IoT Devices
The vulnerabilities highlight the importance of securing IoT devices and the need for vendors to prioritize security in their products.
As the use of smart devices in homes and businesses continues to grow, the potential attack surface for hackers also increases.
It is essential for vendors to identify and address vulnerabilities quickly to prevent exploitation and protect their customers.
About Author
English