Frequently Asked Questions
About CISA advisory ICSA-26-055-03.
What is CISA advisory ICSA-26-055-03?
CISA ICSA-26-055-03 is a Cybersecurity and Infrastructure Security Agency advisory published on February 24, 2026 and updated on April 2, 2026 (Update A) documenting ten CVEs affecting the Gardyn Home Kit and Gardyn Studio IoT platform.
How many Gardyn customers are referenced in the advisory?
Per CVE-2026-28766 in the CISA advisory, the affected unauthenticated endpoint exposed records for approximately 134,215 customers. Per the researcher’s coordinated-disclosure repository, 138,160+ devices were registered at the time of disclosure.
What does the advisory say about payment card data?
The CISA advisory describes CVE-2026-28766 as exposure of “all user account information” without enumerating field names. Per the researcher’s coordinated-disclosure repository, the records returned by the affected endpoint included the last_four partial payment-card field. Per Gardyn’s customer-facing security update post (mygardyn.com/blog/security-update/), the vulnerabilities did not expose payment card information. See the discrepancies page.
What does CISA say about remediation?
Per CISA Update A, all ten CVEs in the advisory are remediated. Per CISA, the fix versions are mobile application 2.11.0 or later, cloud API 2.12.2026 or later, and Home Kit firmware master.622 or later. Gardyn’s customer-facing post stated firmware master.619; per CISA Update A, master.622 is the version in which CVE-2025-29631 is remediated. See how to update.
How can I tell if my data was within scope?
Per CVE-2026-28766, the affected endpoint exposed records for approximately 134,215 customers. The site maintainer cannot confirm any individual record and does not retain any data drawn from the exposure. A Gardyn account-holder can independently verify whether they held an account during the affected period by reviewing their email archives for Gardyn correspondence.
What does CISA recommend for customers?
Per CISA Update A, customer-side remediation is to ensure the mobile app, cloud API client, and device firmware are at the fix versions stated in the advisory. Per CISA, general guidance for IoT devices includes minimizing internet exposure, placing devices behind a firewall, and using updated VPN software for remote access where required. See For Customers and how to update.
Who is credited as the researcher?
The CISA advisory credits Michael Groberman (handle: Gr0m) for the coordinated disclosure of the ten CVEs. Per the researcher’s coordinated-disclosure repository, three of the original four CVEs (CVE-2025-29628, CVE-2025-29629, CVE-2025-29631) were originally disclosed by mselbrede in February 2025; the current advisory cites that prior work.
When did the researcher first contact Gardyn?
Per the researcher’s coordinated-disclosure repository, initial outreach to Gardyn was on October 14, 2025. Per the same repository, CERT/CC was engaged on December 11, 2025. The initial CISA advisory was published February 24, 2026. See the timeline.
Was the disclosure coordinated?
Per the researcher’s repository, initial vendor outreach was October 14, 2025. CERT/CC engagement (parent case VU#653116) was December 11, 2025. CISA published the initial advisory on February 24, 2026. See the coordinated disclosure process page.
Is this site affiliated with Gardyn?
No. This site is independent documentation of CISA advisory ICSA-26-055-03. It is not affiliated with, endorsed by, or sponsored by Gardyn Inc. “Gardyn” is used solely as nominative reference for identification.
How can journalists or researchers contact the maintainer?
See the press kit and the contact page. PGP and Signal are available on request.
How do I submit a correction?
Email corrections@gardyn-security-incident.info. Corrections are welcomed and processed with a dated correction-log entry per the methodology.
What does CVSS 9.3 mean?
CVSS (Common Vulnerability Scoring System) is a standardized severity score from 0.0 to 10.0. Scores from 9.0 to 10.0 are categorized as Critical. The score 9.3 reflects the specific metric values of the CVSS vector for that CVE; full vector strings are on each per-CVE page. See the glossary.
Is this a data breach under state law?
That is a fact-specific legal question that varies by jurisdiction. State breach-notification statutes apply different definitions. Gardyn’s customer-facing security update post characterizes the incident as not a data breach. The CISA advisory documents ten CVEs but does not adjudicate state-law breach status. See the For Customers page for jurisdiction-specific resources.
Why does the timeline list vendor actions in December 2025 and January 2026?
Per the researcher’s coordinated-disclosure repository, the /api/users endpoint stopped returning data to unauthenticated requests on December 18, 2025, and the Azure IoT Hub iothubowner administrative credential was rotated on January 22, 2026. These are dates on which observable changes in vendor infrastructure occurred during the coordination window prior to public CISA publication. See the coordinated disclosure process page.
Submit a question
Email contact@gardyn-security-incident.info. For press, use press@gardyn-security-incident.info. For corrections, use corrections@gardyn-security-incident.info.