CISA Advisory ICSA-26-055-03
All ten CVEs in CISA advisory ICSA-26-055-03, as updated April 2, 2026 (Update A). Each entry links to the canonical NVD record, MITRE CVE record, and per-CVE researcher repository where available.
The advisory
| Advisory | CISA ICSA-26-055-03 |
|---|---|
| Initial publication | February 24, 2026 (4 CVEs) |
| Update A | April 2, 2026 (10 CVEs) |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit (Models 1.0, 2.0, 3.0, 4.0), Gardyn Studio (Models 1.0, 2.0) |
| Affected versions | Mobile App <2.11.0; Cloud API <2.12.2026; Home Kit Firmware <master.622 |
| Sector | Food and Agriculture (CISA classification) |
| Registered devices (per researcher repository) | 138,160+ |
| User records (per CVE-2026-28766) | 134,215 |
| Researcher | Michael Groberman |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
| Status per CISA Update A | All ten CVEs remediated |
The ten CVEs
| CVE | Title | Severity |
|---|---|---|
| CVE-2026-28766 | Missing Authentication: User Account Endpoint | Critical (9.3) |
| CVE-2025-1242 | Use of Hard-coded Credentials | Critical (9.1) |
| CVE-2025-29631 | OS Command Injection | Critical (9.1) |
| CVE-2026-25197 | Authorization Bypass via User-Controlled Key (IDOR) | Critical (9.1) |
| CVE-2025-10681 | Hardcoded Azure Blob Storage Account Key | High (8.6) |
| CVE-2025-29628 | Cleartext Transmission of Sensitive Information | High (8.3) |
| CVE-2025-29629 | Use of Default Credentials | High (8.3) |
| CVE-2026-32646 | Missing Authentication: Admin Device Management | High (7.5) |
| CVE-2026-28767 | Missing Authentication: Admin Notifications | Medium (5.3) |
| CVE-2026-32662 | Active Debug Code in Production | Medium (5.3) |
Attack chains documented in the researcher’s repository
Per the researcher’s repository, two attack chains are documented combining individual CVEs:
- Chain 1. CVE-2025-1242 (hardcoded iothubowner credential) plus CVE-2025-29631 (command injection in upgrade()) yields, per the repository, unauthenticated remote code execution as root on registered devices.
- Chain 2. CVE-2026-28766 (unauthenticated /api/users) and CVE-2026-25197 (IDOR on /api/user/{id}) together provide, per the repository, PII access for 134,215 user records, including names, email addresses, phone numbers, and the last_four partial payment-card field.
Disclosure timeline
Per the researcher’s coordinated-disclosure repository, initial vendor outreach was on October 14, 2025; CERT/CC was engaged on December 11, 2025. CISA published the initial advisory on February 24, 2026 with four CVEs and Update A on April 2, 2026 expanding to ten CVEs. See the full timeline and the coordinated disclosure process.
Primary sources
- CISA ICSA-26-055-03 (advisory and Update A)
- CSAF JSON (CISA)
- Researcher repository (per-CVE writeups)
- CERT/CC VU#653116 record
- NVD and MITRE CVE: linked from each per-CVE page