Press Coverage
Independent press coverage of CISA advisory ICSA-26-055-03 and the Gardyn IoT findings.
Reporters and outlets covering the advisory
| Publication | Byline | Coverage |
|---|---|---|
| SecurityWeek | Eduard Kovacs | CISA advisory and CVE technical detail (industry trade) |
| Patrick Coyle (Chemical Facility Security News) | Patrick Coyle | OT/ICS context and CISA advisory analysis |
| Cybersecurity News | Editorial | "Critical Gardyn Smart Gardens Vulnerabilities Let Attackers Control Devices Remotely" |
| Cyber Press | Any Priya | "Critical Gardyn Smart Gardens Vulnerabilities Let Attackers Control Devices Remotely" |
| GBhackers | Divya | "Critical Gardyn Flaws Open Smart Garden Devices to Remote Hijacking" |
| Cyber Technology Insights | Editorial | "Critical Gardyn Flaws Enable Remote Device Hijacking" |
| BitNinja Security | Editorial | Focused coverage of CVE-2026-25197 (cloud API authorization) |
| OpenText Cybersecurity Community | Editorial | Notes ICSA-26-055-03 (Update A) in CISA's April 2 advisory roundup |
| CyberHub (EUVD) | Editorial | European Vulnerability Database entry for CVE-2025-29631 (CVSS 9.8) |
Story angles supported by primary sources
- Consumer protection. Approximately 134,000 customers had names, addresses, phone numbers, email addresses, and partial payment card data in scope of the unauthenticated CVE-2026-28766 exposure. The advisory is at the federal-agency level (CISA, ICSA-26-055-03).
- The "no payment data" discrepancy. Gardyn's customer-facing security update post states payment card information was not exposed. The researcher's coordinated-disclosure findings document a partial payment card field in the affected /api/users response. See discrepancies.
- IoT supply chain. A hard-coded administrative credential for an Azure IoT Hub was reachable in API responses. Combined with command injection in the device upgrade path (CVE-2025-29631), the chain supports unauthenticated remote code execution as root on registered devices.
- OT/ICS sector context. CISA classifies the affected sector as Food and Agriculture. The advisory is one of a small number of consumer IoT findings to receive ICS-level treatment.
- Coordinated disclosure as a public good. The disclosure followed direct vendor outreach in October 2025, federal coordination from December 2025 through April 2026 (Update A). All ten CVEs are remediated per CISA. See coordinated disclosure process.
For journalists considering coverage
The maintainer is on record and responds to press within 24 hours. The press kit includes a copy-pasteable bio, on-record quotes, and direct contact (PGP and Signal available on request). The disclosure is supported by a federal agency advisory (CISA), CVE records in the National Vulnerability Database, and a European Vulnerability Database entry (EUVD-2025-22716), all of which are primary public sources independent of the researcher.
Researcher contact
Direct: press@gardyn-security-incident.info (response within 24 hours). PGP and Signal available on request.
Submitting additional coverage
Journalists with newly published coverage are welcome to email press@gardyn-security-incident.info with the URL, byline, and publication date to be added to this index.