CVE-2025-29631
OS Command Injection
| CVE | CVE-2025-29631 |
|---|---|
| Severity | Critical (9.1) |
| Weakness (CWE) | CWE-78: OS Command Injection |
| Affected components | Firmware <master.622 |
| Vendor | Gardyn Inc. |
| Affected products | Gardyn Home Kit Models 1.0, 2.0, 3.0, 4.0; Gardyn Studio Models 1.0, 2.0 |
| Sector | Food and Agriculture (CISA classification) |
| Status per CISA Update A | Remediated |
| Coordinator | CERT/CC (parent case VU#653116) and CISA |
What is documented
Per the researcher’s coordinated-disclosure repository, the device firmware upgrade() routine in DMHandler.py passed input to os.system() without sanitization. The upgrade() method is registered as an Azure IoT Hub direct method invokable by any caller with IoT Hub credentials.
Primary sources
- CISA ICSA-26-055-03 (Update A)
- NVD: CVE-2025-29631
- MITRE CVE Record: CVE-2025-29631
- Disclosure repository
Mitigation per CISA Update A
Per CISA Update A (April 2, 2026), this CVE is remediated. The fix versions stated by CISA are: Gardyn mobile application 2.11.0 or later; Gardyn cloud API 2.12.2026 or later; Home Kit firmware master.622 or later. See the CISA advisory and the how to update page.