138,000 Root-Accessible Linux IoT Devices Exposed on US Home and School Networks

The Cybersecurity and Infrastructure Security Agency published advisory ICSA-26-055-03 on February 24, 2026, followed by Update A on April 2. The advisory outlines 10 CVEs affecting Gardyn’s IoT smart garden platform.

In total, 138,160 Linux IoT devices were exposed across US homes and K–12 schools.

Several of the vulnerabilities are rated critical, with CVSS scores reported as high as 9’s in publicly available disclosures.

This is not a typical IoT story.

Each device is a Raspberry Pi Zero W running full Linux, with root shell access, persistent cloud connectivity, and placement inside trusted networks—behind the firewall. At scale, these devices represent network-interior footholds, not edge risks.

The vendor confirmed that no access logging existed on affected endpoints during the exposure window, which spans approximately six years.

The Vulnerability Landscape

Critical CVEs Enabling Remote Root Access

• CVE-2025-1242: Administrative credentials can reportedly be extracted through API responses, mobile application reverse engineering, and device firmware analysis. As a result, an attacker may gain administrative access to the Gardyn IoT Hub.
• CVE-2025-29631: A command injection vulnerability in the firmware upgrade process allows an attacker to execute arbitrary operating system commands and potentially gain remote root access.

Together, these vulnerabilities could significantly increase the risk of unauthorized access and device compromise.

Unauthenticated Access and Data Exposure Risks

• CVE-2025-29628: The system reportedly transmits an Azure IoT Hub connection string over insecure HTTP. As a result, attackers could intercept credentials through a man-in-the-middle attack and gain device-level control.
• CVE-2025-29629: Weak or default SSH credentials may allow attackers to access affected devices without authorization.
• CVE-2026-28766: A specific endpoint reportedly exposes user account information without authentication. In addition, public reporting suggests that a significant volume of personal and contact data may have been accessible.

Hardcoded Secrets and Cloud Infrastructure Exposure

• CVE-2025-10681: Public reporting indicates that developers embedded storage credentials in the mobile application and device firmware. Consequently, attackers could access cloud storage resources without authorization.
• CVE-2026-25197: Public CVE records describe this as an authorization-related issue involving a user-controlled key. Therefore, attackers may gain unintended access under certain conditions.

Administrative and Debug Endpoints Left Exposed

• CVE-2026-32646: A specific administrative endpoint reportedly lacks proper authentication. As a result, attackers may access device management functionality.
• CVE-2026-28767: A separate notifications endpoint also appears accessible without authentication controls.
• CVE-2026-32662: Public advisory information indicates that development or debug functionality remains exposed in production environments. Consequently, this may increase the overall attack surface.

Network-Interior Threat

Why These Linux IoT Devices Create Persistent Footholds

Unlike traditional botnets that target Internet-facing systems, these Linux IoT devices sit inside the network perimeter.

Each device operates on the same subnet as laptops, phones, printers, and storage systems. Once compromised, it becomes a persistent internal access point.

Lateral Movement and Botnet Potential at Scale

A compromised device provides:

• Persistent LAN foothold with cloud-based command-and-control (C2)
• Lateral movement capabilities (ARP spoofing, DNS poisoning, traffic interception)
• Reliable outbound communication via Azure IoT Hub (no inbound firewall rules required)
• Scalable botnet recruitment across 138,000 endpoints

This is the architectural profile of a Mirai-class threat—inside the network.

Impact on Schools and Critical Infrastructure

K–12 Networks as High-Value Targets

In K–12 environments, a compromised device can act as a beachhead into institutional networks.

The issue has been shared with K12 SIX, a threat intelligence organization spanning more than 38 US states. CISA has classified the exposure under the Food and Agriculture critical infrastructure.

Disclosure Timeline and Vendor Response

Timeline of Vulnerability Disclosure

• October 14, 2025: Vulnerabilities reported to Gardyn
• December 12, 2025: CERT/CC opens case (VU#653116)
• February 24, 2026: CISA publishes initial advisory with 4 CVEs
• February 27, 2026: Public reporting begins
• April 2, 2026: Update A expands total to 10 CVEs

In total, 52 vulnerabilities were identified, with Update A disclosing 10 CVEs, with additional findings still progressing through coordinated disclosure.

Gaps in Vendor Transparency and Logging

On the same day as the initial advisory, Gardyn’s security page stated that all vulnerabilities were “remediated.” However, the advisory indicated that mitigation efforts were still in progress.

Notably, no access logging was in place during the exposure period. This creates a critical visibility gap, making it impossible to determine whether systems were accessed or exploited.

Why This Matters

This is where most people get it wrong.

These are not “smart devices.”
They are Linux systems with root access inside trusted networks.

That changes the threat model entirely.

Instead of attacking from the outside, an attacker can:

• Establish persistence inside the network
• Move laterally across devices
• Intercept sensitive traffic
• Operate without triggering perimeter defenses

At scale, this becomes a distributed internal attack surface.

What You Should Do

Treat IoT devices like unmanaged endpoints:

• Segment IoT devices onto a separate network or VLAN
• Restrict outbound traffic where possible
• Monitor for unusual DNS or network behavior
• Apply firmware updates immediately
• Remove or isolate devices that cannot be secured

Conclusion

IoT devices on your network are not appliances. They are computers.

The exposure of 138,000 Linux IoT devices across homes and schools highlights a systemic issue in how these systems are deployed and secured.

The full advisory is available via the Cybersecurity and Infrastructure Security Agency.

Technical details and research are published by Michael Groberman.

• LinkedIn: https://www.linkedin.com/in/michael-adam-groberman/
• GitHub: github.com/MichaelAdamGroberman/ICSA-26-055-03

About Cyber News Live

Stay ahead with Cyber News Live! First, we deliver real-time reporting and sharp threat intelligence. Additionally, we provide educational content for professionals, practitioners, and curious minds. From there, whether it’s breaking breach alerts or deep dives into attack vectors, we cover it all. Ultimately, our mission is clear: we make complex cyber topics understandable. And beyond that, we ensure critical knowledge stays accessible to everyone.