cvelistv5 - cve-2024-52330

CVE-2024-52330 (GCVE-0-2024-52330)

Vulnerability from cvelistv5

Published

2025-01-23 16:36

Modified

2025-02-12 20:41

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.5 (Critical) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

CWE

CWE-295 - Improper Certificate Validation

Summary

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

References

URL

Tags

9119a7d8-5eab-497f-8521-727c672e3725	https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf	Exploit, Third Party Advisory
9119a7d8-5eab-497f-8521-727c672e3725	https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf	Exploit, Third Party Advisory
9119a7d8-5eab-497f-8521-727c672e3725	https://www.ecovacs.com/global/userhelp/dsa20241217001	Vendor Advisory

Impacted products

Vendor

Product

Version

ECOVACS

DEEBOT X5 PRO PLUS

Version: 0 < 1.38.0

ECOVACS	DEEBOT X5 PRO	Version: 0 < 1.70.0
ECOVACS	DEEBOT X2S	Version: 0 < 1.49.0
ECOVACS	DEEBOT X2 OMNI	Version: 0 < 1.76.6
ECOVACS	DEEBOT X1 TURBO	Version: 0 < 2.4.41
ECOVACS	DEEBOT X1	Version: 0 < 1.7.3
ECOVACS	DEEBOT X1S PRO	Version: 0 < 2.5.31
ECOVACS	DEEBOT X1e OMNI	Version: 0 < 2.4.42
ECOVACS	DEEBOT T10 PLUS	Version: 0 < 1.7.5
ECOVACS	DEEBOT T10 OMNI	Version: 0 < 1.9.0
ECOVACS	DEEBOT X5 PRO ULTRA	Version: 0 < 1.17.0
ECOVACS	Mate X	Version: 0 < 1.44.18
ECOVACS	DEEBOT X2 PRO	Version: 0 < 1.76.6
ECOVACS	DEEBOT X2 COMBO	Version: 0 < 1.81.10
ECOVACS	DEEBOT X1 OMNI	Version: 0 < 2.4.41
ECOVACS	DEEBOT X1 PRO OMNI	Version: 0 < 2.4.41
ECOVACS	DEEBOT X1 PLUS	Version: 0 < 1.7.3
ECOVACS	DEEBOT X1S PRO PLUS	Version: 0 < 1.23.0
ECOVACS	DEEBOT T10 TURBO	Version: 0 < 1.10.0
ECOVACS	DEEBOT T10	Version: 0 < 1.7.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52330",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-23T16:56:31.855219Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:41:28.969Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X5 PRO PLUS",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.38.0"
            },
            {
              "lessThan": "1.38.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X5 PRO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.70.0"
            },
            {
              "lessThan": "1.70.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X2S",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.49.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.49.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X2  OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.76.6"
            },
            {
              "lessThan": "1.76.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1 TURBO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "2.4.41",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2.4.41"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.7.3"
            },
            {
              "lessThan": "1.7.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1S PRO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.5.31"
            },
            {
              "lessThan": "2.5.31",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1e OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.4.42"
            },
            {
              "lessThan": "2.4.42",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT T10 PLUS",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.7.5"
            },
            {
              "lessThan": "1.7.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT T10 OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.9.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X5 PRO ULTRA",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.17.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.17.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mate X",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.44.18"
            },
            {
              "lessThan": "1.44.18",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X2 PRO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.76.6"
            },
            {
              "lessThan": "1.76.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X2 COMBO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.81.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.81.10"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1 OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "2.4.41",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2.4.41"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1 PRO OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.4.41"
            },
            {
              "lessThan": "2.4.41",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1 PLUS",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.7.3"
            },
            {
              "lessThan": "1.7.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1S PRO PLUS",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.23.0"
            },
            {
              "lessThan": "1.23.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT T10 TURBO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.10.0"
            },
            {
              "lessThan": "1.10.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT T10",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.7.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.7.5"
            }
          ]
        }
      ],
      "datePublic": "2023-12-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        },
        {
          "cvssV4_0": {
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-23T16:36:50.128Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "name": "url",
          "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
        },
        {
          "name": "url",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        },
        {
          "name": "url",
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        }
      ],
      "title": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2024-52330",
    "datePublished": "2025-01-23T16:36:50.128Z",
    "dateReserved": "2024-11-08T01:06:02.405Z",
    "dateUpdated": "2025-02-12T20:41:28.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-52330\",\"sourceIdentifier\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"published\":\"2025-01-23T17:15:14.427\",\"lastModified\":\"2025-09-23T17:48:33.127\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.\"},{\"lang\":\"es\",\"value\":\"Las cortadoras de c\u00e9sped y las aspiradoras ECOVACS no validan correctamente los certificados TLS. Un atacante no autenticado puede leer o modificar el tr\u00e1fico TLS, posiblemente modificando las actualizaciones de firmware.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.5,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x2_omni_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.76.6\",\"matchCriteriaId\":\"DFBAD9FC-1343-4D07-99E6-9E7C3D77C694\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x2_omni:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BD94283-0BC1-4C7C-A5F3-9D57E44B4C64\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x2_combo_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.81.10\",\"matchCriteriaId\":\"DAF98AFD-C399-4AB8-A637-29561F39F134\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x2_combo:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2C12633C-1BD2-4BF6-BF11-FC05221B93EB\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x2s_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.49.0\",\"matchCriteriaId\":\"969D4A03-B499-4218-BF07-22E51654AA6C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x2s:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11AA1D51-EE29-4252-A739-1F1D4A3F428D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x5_pro_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.70.0\",\"matchCriteriaId\":\"5B819C9B-F143-4A63-825C-B1DF1DCB16B7\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x5_pro:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"64AB781B-CB28-4229-A74D-8CDD325EFAC3\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x5_pro_plus_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.38.0\",\"matchCriteriaId\":\"0F61F40B-6031-4C32-9571-B92C3377EFB2\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x5_pro_plus:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CFE49BE7-59E8-4447-B78B-4FEDF4F773CD\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x5_pro_ultra_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.17.0\",\"matchCriteriaId\":\"9C4821F3-3B7D-4035-980F-C11713C5D424\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x5_pro_ultra:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8504979A-A4F0-4A03-8816-E9AB3BD6F40B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:mate_x_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.44.18\",\"matchCriteriaId\":\"0C4EC5E7-04E3-497C-ACD9-2479C48A2FC4\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:mate_x:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"706F2C75-0E75-487B-BA24-EB824E6BC16B\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x1_omni_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.41\",\"matchCriteriaId\":\"8F75A470-5B86-41C6-86E2-232656AF68F9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x1_omni:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"91E23E30-45BE-4142-8E9C-032282F3B6A6\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x1_turbo_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.41\",\"matchCriteriaId\":\"0F868AC3-7B87-44E5-A7B0-F2C85DCA7E7C\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x1_turbo:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"65F69609-1D21-461A-9457-A745194759CD\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x1_pro_omni_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.41\",\"matchCriteriaId\":\"2B044584-55B4-4E88-99C9-9A48D9B4E908\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x1_pro_omni:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"003B54E0-B2FF-485A-9A55-925609EE8DF1\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x1_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.3\",\"matchCriteriaId\":\"4AE87B2E-A1B1-438E-9482-E8466647050B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x1:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4DA0B484-221F-4E67-927F-DBCBBC1F6448\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x1_plus_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.3\",\"matchCriteriaId\":\"7DC2AA81-5895-43EE-8B34-D8074DDD301F\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x1_plus:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C5586D60-D87F-45A1-8619-F6CC12AD9731\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x1s_pro_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.5.31\",\"matchCriteriaId\":\"849A58E5-2700-49F4-BF60-C35E97689AE1\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x1s_pro:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"037628A9-DD54-4A4B-97A9-78142B76E91E\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x1s_pro_plus_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.23.0\",\"matchCriteriaId\":\"7526B614-1962-490C-8972-2A275A471A86\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x1s_pro_plus:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4612A790-C3CC-40AA-8E31-2C2918C6AB6C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x1e_omni_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.4.42\",\"matchCriteriaId\":\"67C721A5-53B6-4B15-A76C-481EF4C45147\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x1e_omni:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16705AA3-4CAE-4BF5-8084-6A6CB30A1E8C\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_t10_turbo_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.10.0\",\"matchCriteriaId\":\"454C233D-82D5-4B99-AC3A-94B1CF23F078\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_t10_turbo:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"85DEFE0B-99F7-49DF-96E3-69B6FC1EF262\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_t10_plus_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.5\",\"matchCriteriaId\":\"79E44970-1ADF-4170-A09A-F64F02E27C64\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_t10_plus:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1CBAA124-1B4C-4E75-80E1-A747AC9183E1\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_t10_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.7.5\",\"matchCriteriaId\":\"4CA98740-BA9B-4479-B92F-F76B1234D2FE\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_t10:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"318C962D-54C2-456E-A045-1332A02958E9\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_t10_omni_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.9.0\",\"matchCriteriaId\":\"B843C490-26E9-4D03-8BCB-DBC462833D12\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_t10_omni:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"11395F70-87C2-41DD-9D9A-CFA8D0512ECE\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:ecovacs:deebot_x2_pro_firmware:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.76.6\",\"matchCriteriaId\":\"F3F737D6-74BD-47F8-88B7-045E8B280E46\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:ecovacs:deebot_x2_pro:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C98FE3FD-E432-4DD7-AF87-6FBA4C4ABC45\"}]}]}],\"references\":[{\"url\":\"https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://www.ecovacs.com/global/userhelp/dsa20241217001\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52330\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-23T16:56:31.855219Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T20:35:32.396Z\"}}], \"cna\": {\"title\": \"ECOVACS lawnmowers and vacuums do not properly validate TLS certificates\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\"}}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.5, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H\"}}], \"affected\": [{\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X5 PRO PLUS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.38.0\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.38.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X5 PRO\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.70.0\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.70.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X2S\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.49.0\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.49.0\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X2  OMNI\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.76.6\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.76.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1 TURBO\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.41\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"2.4.41\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.7.3\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1S PRO\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.5.31\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.5.31\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1e OMNI\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.42\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.42\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT T10 PLUS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.7.5\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT T10 OMNI\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.9.0\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.9.0\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X5 PRO ULTRA\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.17.0\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.17.0\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"Mate X\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.44.18\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.44.18\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X2 PRO\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.76.6\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.76.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X2 COMBO\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.81.10\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.81.10\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1 OMNI\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.41\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"2.4.41\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1 PRO OMNI\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.41\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.41\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1 PLUS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.7.3\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1S PRO PLUS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.23.0\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.23.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT T10 TURBO\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.10.0\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.10.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT T10\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.5\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.7.5\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2023-12-27T00:00:00.000Z\", \"references\": [{\"url\": \"https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf\", \"name\": \"url\"}, {\"url\": \"https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf\", \"name\": \"url\"}, {\"url\": \"https://www.ecovacs.com/global/userhelp/dsa20241217001\", \"name\": \"url\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295 Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"shortName\": \"cisa-cg\", \"dateUpdated\": \"2025-01-23T16:36:50.128Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52330\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T20:41:28.969Z\", \"dateReserved\": \"2024-11-08T01:06:02.405Z\", \"assignerOrgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"datePublished\": \"2025-01-23T16:36:50.128Z\", \"assignerShortName\": \"cisa-cg\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-m998-32q9-vxpx

Vulnerability from github

Published

2025-01-23 18:31

Modified

2025-01-23 18:31

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.5 (Critical) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Details

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-52330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T17:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.",
  "id": "GHSA-m998-32q9-vxpx",
  "modified": "2025-01-23T18:31:20Z",
  "published": "2025-01-23T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52330"
    },
    {
      "type": "WEB",
      "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
    },
    {
      "type": "WEB",
      "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

va-25-022-01

Vulnerability from csaf_cisa

Published

2025-01-23 00:53

Modified

2025-01-23 00:53

Summary

ECOVACS lawnmower and vacuum vulnerabilities

Notes

Legal Notice

All information products included in https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.

Countries and Areas Deployed

Worldwide

Company Headquarters Location

Suzhou, China

Critical Infrastructure Sectors

None

Risk Evaluation

ECOVACS lawnmowers, vacuums, and other robots contain multiple vulnerabilities. In some cases, using a combination of vulnerabilities, an attacker within Bluetooth range or with appropriate network access can take complete control of a robot device. Some vulnerabilities allow an attacker to access device cameras and microphones. Note that the list of affected products is incomplete.

Recommended Practices

Review ECOVACS advisories and update robot firmware and mobile apps.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see https://us-cert.cisa.gov/tlp/.",
        "title": "Legal Notice"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries and Areas Deployed"
      },
      {
        "category": "other",
        "text": "Suzhou, China",
        "title": "Company Headquarters Location"
      },
      {
        "category": "other",
        "text": "None",
        "title": "Critical Infrastructure Sectors"
      },
      {
        "category": "summary",
        "text": "ECOVACS lawnmowers, vacuums, and other robots contain multiple vulnerabilities. In some cases, using a combination of vulnerabilities, an attacker within Bluetooth range or with appropriate network access can take complete control of a robot device. Some vulnerabilities allow an attacker to access device cameras and microphones. Note that the list of affected products is incomplete.",
        "title": "Risk Evaluation"
      },
      {
        "category": "general",
        "text": "Review ECOVACS advisories and update robot firmware and mobile apps.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "https://www.cisa.gov/report ",
      "issuing_authority": "CISA",
      "name": "CISA",
      "namespace": "https://www.cisa.gov"
    },
    "references": [
      {
        "category": "self",
        "summary": "Vulnerability Advisory VA-25-022-01 CSAF",
        "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/IT/white/2025/va-25-022-01.json"
      }
    ],
    "title": "ECOVACS lawnmower and vacuum vulnerabilities",
    "tracking": {
      "current_release_date": "2025-01-23T00:53:24Z",
      "generator": {
        "date": "2025-01-24T03:45:51Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.17"
        }
      },
      "id": "VA-25-022-01",
      "initial_release_date": "2025-01-23T00:53:24Z",
      "revision_history": [
        {
          "date": "2025-01-22T00:00:00Z",
          "number": "1.0.0",
          "summary": "Initial publication"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "vers:all/*",
                "product": {
                  "name": "ECOVACS AIRBOT Z1 *",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "AIRBOT Z1"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2024-12-17",
                "product": {
                  "name": "ECOVACS cloud service 0 \u003c 2024-12-17",
                  "product_id": "CSAFPID-0002"
                }
              },
              {
                "category": "product_version",
                "name": "2024-12-17",
                "product": {
                  "name": "ECOVACS cloud service 2024-12-17",
                  "product_id": "CSAFPID-0003"
                }
              }
            ],
            "category": "product_name",
            "name": "cloud service"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "vers:all/*",
                "product": {
                  "name": "ECOVACS DEEBOT N30 OMNI *",
                  "product_id": "CSAFPID-0004"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT N30 OMNI"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "vers:all/*",
                "product": {
                  "name": "ECOVACS DEEBOT N30 PRO OMNI *",
                  "product_id": "CSAFPID-0005"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT N30 PRO OMNI"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.7.5",
                "product": {
                  "name": "ECOVACS DEEBOT T10 0 \u003c 1.7.5",
                  "product_id": "CSAFPID-0006"
                }
              },
              {
                "category": "product_version",
                "name": "1.7.5",
                "product": {
                  "name": "ECOVACS DEEBOT T10 1.7.5",
                  "product_id": "CSAFPID-0007"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT T10"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.9.0",
                "product": {
                  "name": "ECOVACS DEEBOT T10 OMNI 0 \u003c 1.9.0",
                  "product_id": "CSAFPID-0008"
                }
              },
              {
                "category": "product_version",
                "name": "1.9.0",
                "product": {
                  "name": "ECOVACS DEEBOT T10 OMNI 1.9.0",
                  "product_id": "CSAFPID-0009"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT T10 OMNI"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.7.5",
                "product": {
                  "name": "ECOVACS DEEBOT T10 PLUS 1.7.5",
                  "product_id": "CSAFPID-0010"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.7.5",
                "product": {
                  "name": "ECOVACS DEEBOT T10 PLUS 0 \u003c 1.7.5",
                  "product_id": "CSAFPID-0011"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT T10 PLUS"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.10.0",
                "product": {
                  "name": "ECOVACS DEEBOT T10 TURBO 1.10.0",
                  "product_id": "CSAFPID-0012"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.10.0",
                "product": {
                  "name": "ECOVACS DEEBOT T10 TURBO 0 \u003c 1.10.0",
                  "product_id": "CSAFPID-0013"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT T10 TURBO"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.93.0",
                "product": {
                  "name": "ECOVACS DEEBOT T30 OMNI 0 \u003c 1.93.0",
                  "product_id": "CSAFPID-0014"
                }
              },
              {
                "category": "product_version",
                "name": "1.93.0",
                "product": {
                  "name": "ECOVACS DEEBOT T30 OMNI 1.93.0",
                  "product_id": "CSAFPID-0015"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT T30 OMNI"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.95.0",
                "product": {
                  "name": "ECOVACS DEEBOT T30S 0 \u003c 1.95.0",
                  "product_id": "CSAFPID-0016"
                }
              },
              {
                "category": "product_version",
                "name": "1.95.0",
                "product": {
                  "name": "ECOVACS DEEBOT T30S 1.95.0",
                  "product_id": "CSAFPID-0017"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT T30S"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.7.3",
                "product": {
                  "name": "ECOVACS DEEBOT X1 1.7.3",
                  "product_id": "CSAFPID-0018"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.7.3",
                "product": {
                  "name": "ECOVACS DEEBOT X1 0 \u003c 1.7.3",
                  "product_id": "CSAFPID-0019"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X1"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.4.42",
                "product": {
                  "name": "ECOVACS DEEBOT X1e OMNI 2.4.42",
                  "product_id": "CSAFPID-0020"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.4.42",
                "product": {
                  "name": "ECOVACS DEEBOT X1e OMNI 0 \u003c 2.4.42",
                  "product_id": "CSAFPID-0021"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X1e OMNI"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.4.41",
                "product": {
                  "name": "ECOVACS DEEBOT X1 OMNI 0 \u003c 2.4.41",
                  "product_id": "CSAFPID-0022"
                }
              },
              {
                "category": "product_version",
                "name": "2.4.41",
                "product": {
                  "name": "ECOVACS DEEBOT X1 OMNI 2.4.41",
                  "product_id": "CSAFPID-0023"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X1 OMNI"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.7.3",
                "product": {
                  "name": "ECOVACS DEEBOT X1 PLUS 1.7.3",
                  "product_id": "CSAFPID-0024"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.7.3",
                "product": {
                  "name": "ECOVACS DEEBOT X1 PLUS 0 \u003c 1.7.3",
                  "product_id": "CSAFPID-0025"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X1 PLUS"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.4.41",
                "product": {
                  "name": "ECOVACS DEEBOT X1 PRO OMNI 2.4.41",
                  "product_id": "CSAFPID-0026"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.4.41",
                "product": {
                  "name": "ECOVACS DEEBOT X1 PRO OMNI 0 \u003c 2.4.41",
                  "product_id": "CSAFPID-0027"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X1 PRO OMNI"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "2.5.31",
                "product": {
                  "name": "ECOVACS DEEBOT X1S PRO 2.5.31",
                  "product_id": "CSAFPID-0028"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c2.5.31",
                "product": {
                  "name": "ECOVACS DEEBOT X1S PRO 0 \u003c 2.5.31",
                  "product_id": "CSAFPID-0029"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X1S PRO"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.23.0",
                "product": {
                  "name": "ECOVACS DEEBOT X1S PRO PLUS 1.23.0",
                  "product_id": "CSAFPID-0030"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.23.0",
                "product": {
                  "name": "ECOVACS DEEBOT X1S PRO PLUS 0 \u003c 1.23.0",
                  "product_id": "CSAFPID-0031"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X1S PRO PLUS"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.4.41",
                "product": {
                  "name": "ECOVACS DEEBOT X1 TURBO 0 \u003c 2.4.41",
                  "product_id": "CSAFPID-0032"
                }
              },
              {
                "category": "product_version",
                "name": "2.4.41",
                "product": {
                  "name": "ECOVACS DEEBOT X1 TURBO 2.4.41",
                  "product_id": "CSAFPID-0033"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X1 TURBO"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.81.10",
                "product": {
                  "name": "ECOVACS DEEBOT X2 COMBO 0 \u003c 1.81.10",
                  "product_id": "CSAFPID-0034"
                }
              },
              {
                "category": "product_version",
                "name": "1.81.10",
                "product": {
                  "name": "ECOVACS DEEBOT X2 COMBO 1.81.10",
                  "product_id": "CSAFPID-0035"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X2 COMBO"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.76.6",
                "product": {
                  "name": "ECOVACS DEEBOT X2  OMNI 1.76.6",
                  "product_id": "CSAFPID-0036"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.76.6",
                "product": {
                  "name": "ECOVACS DEEBOT X2  OMNI 0 \u003c 1.76.6",
                  "product_id": "CSAFPID-0037"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X2  OMNI"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.76.6",
                "product": {
                  "name": "ECOVACS DEEBOT X2 PRO 1.76.6",
                  "product_id": "CSAFPID-0038"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.76.6",
                "product": {
                  "name": "ECOVACS DEEBOT X2 PRO 0 \u003c 1.76.6",
                  "product_id": "CSAFPID-0039"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X2 PRO"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.49.0",
                "product": {
                  "name": "ECOVACS DEEBOT X2S 0 \u003c 1.49.0",
                  "product_id": "CSAFPID-0040"
                }
              },
              {
                "category": "product_version",
                "name": "1.49.0",
                "product": {
                  "name": "ECOVACS DEEBOT X2S 1.49.0",
                  "product_id": "CSAFPID-0041"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X2S"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.70.0",
                "product": {
                  "name": "ECOVACS DEEBOT X5 PRO 0 \u003c 1.70.0",
                  "product_id": "CSAFPID-0042"
                }
              },
              {
                "category": "product_version",
                "name": "1.70.0",
                "product": {
                  "name": "ECOVACS DEEBOT X5 PRO 1.70.0",
                  "product_id": "CSAFPID-0043"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X5 PRO"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.38.0",
                "product": {
                  "name": "ECOVACS DEEBOT X5 PRO PLUS 1.38.0",
                  "product_id": "CSAFPID-0044"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.38.0",
                "product": {
                  "name": "ECOVACS DEEBOT X5 PRO PLUS 0 \u003c 1.38.0",
                  "product_id": "CSAFPID-0045"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X5 PRO PLUS"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.17.0",
                "product": {
                  "name": "ECOVACS DEEBOT X5 PRO ULTRA 0 \u003c 1.17.0",
                  "product_id": "CSAFPID-0046"
                }
              },
              {
                "category": "product_version",
                "name": "1.17.0",
                "product": {
                  "name": "ECOVACS DEEBOT X5 PRO ULTRA 1.17.0",
                  "product_id": "CSAFPID-0047"
                }
              }
            ],
            "category": "product_name",
            "name": "DEEBOT X5 PRO ULTRA"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0.0",
                "product": {
                  "name": "ECOVACS ECOVACS HOME 3.0.0",
                  "product_id": "CSAFPID-0048"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.0.0",
                "product": {
                  "name": "ECOVACS ECOVACS HOME 0 \u003c 3.0.0",
                  "product_id": "CSAFPID-0049"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c3.0.2",
                "product": {
                  "name": "ECOVACS ECOVACS HOME 0 \u003c 3.0.2",
                  "product_id": "CSAFPID-0050"
                }
              },
              {
                "category": "product_version",
                "name": "3.0.2",
                "product": {
                  "name": "ECOVACS ECOVACS HOME 3.0.2",
                  "product_id": "CSAFPID-0051"
                }
              }
            ],
            "category": "product_name",
            "name": "ECOVACS HOME"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.36.187",
                "product": {
                  "name": "ECOVACS GOAT G1 0 \u003c 1.36.187",
                  "product_id": "CSAFPID-0052"
                }
              },
              {
                "category": "product_version",
                "name": "1.36.187",
                "product": {
                  "name": "ECOVACS GOAT G1 1.36.187",
                  "product_id": "CSAFPID-0053"
                }
              }
            ],
            "category": "product_name",
            "name": "GOAT G1"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.36.187",
                "product": {
                  "name": "ECOVACS GOAT G1-2000 0 \u003c 1.36.187",
                  "product_id": "CSAFPID-0054"
                }
              },
              {
                "category": "product_version",
                "name": "1.36.187",
                "product": {
                  "name": "ECOVACS GOAT G1-2000 1.36.187",
                  "product_id": "CSAFPID-0055"
                }
              }
            ],
            "category": "product_name",
            "name": "GOAT G1-2000"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.36.187",
                "product": {
                  "name": "ECOVACS GOAT G1-800 0 \u003c 1.36.187",
                  "product_id": "CSAFPID-0056"
                }
              },
              {
                "category": "product_version",
                "name": "1.36.187",
                "product": {
                  "name": "ECOVACS GOAT G1-800 1.36.187",
                  "product_id": "CSAFPID-0057"
                }
              }
            ],
            "category": "product_name",
            "name": "GOAT G1-800"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c1.2.120",
                "product": {
                  "name": "ECOVACS GOAT GX-600 0 \u003c 1.2.120",
                  "product_id": "CSAFPID-0058"
                }
              },
              {
                "category": "product_version",
                "name": "1.2.120",
                "product": {
                  "name": "ECOVACS GOAT GX-600 1.2.120",
                  "product_id": "CSAFPID-0059"
                }
              }
            ],
            "category": "product_name",
            "name": "GOAT GX-600"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "1.44.18",
                "product": {
                  "name": "ECOVACS Mate X 1.44.18",
                  "product_id": "CSAFPID-0060"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c1.44.18",
                "product": {
                  "name": "ECOVACS Mate X 0 \u003c 1.44.18",
                  "product_id": "CSAFPID-0061"
                }
              }
            ],
            "category": "product_name",
            "name": "Mate X"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "vers:all/*",
                "product": {
                  "name": "ECOVACS Unspecified robots *",
                  "product_id": "CSAFPID-0062"
                }
              }
            ],
            "category": "product_name",
            "name": "Unspecified robots"
          }
        ],
        "category": "vendor",
        "name": "ECOVACS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Giese",
            "Braelynn Luedtke",
            "Chris Anderson"
          ]
        }
      ],
      "cve": "CVE-2024-52325",
      "cwe": {
        "id": "CWE-77",
        "name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over unauthenticated BLE connection.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:T/2024-11-21T21:30:52Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0053",
          "CSAFPID-0057",
          "CSAFPID-0041",
          "CSAFPID-0043",
          "CSAFPID-0044",
          "CSAFPID-0015",
          "CSAFPID-0017",
          "CSAFPID-0055",
          "CSAFPID-0059",
          "CSAFPID-0036",
          "CSAFPID-0035",
          "CSAFPID-0047"
        ],
        "known_affected": [
          "CSAFPID-0052",
          "CSAFPID-0056",
          "CSAFPID-0040",
          "CSAFPID-0042",
          "CSAFPID-0045",
          "CSAFPID-0014",
          "CSAFPID-0016",
          "CSAFPID-0054",
          "CSAFPID-0058",
          "CSAFPID-0037",
          "CSAFPID-0034",
          "CSAFPID-0046"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf"
        },
        {
          "category": "external",
          "summary": "youtu.be",
          "url": "https://youtu.be/_wUsM0Mlenc?t=2041"
        },
        {
          "category": "external",
          "summary": "www.ecovacs.com",
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "external",
          "summary": "www.ecovacs.com",
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        }
      ],
      "release_date": "2024-08-11T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-11-30T06:00:00Z",
          "details": "ECOVACS released firmware version 1.36.187.",
          "product_ids": [
            "CSAFPID-0052"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-30T06:00:00Z",
          "details": "ECOVACS released firmware version 1.36.187.",
          "product_ids": [
            "CSAFPID-0053"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-30T06:00:00Z",
          "details": "ECOVACS released firmware version 1.36.187.",
          "product_ids": [
            "CSAFPID-0056"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-30T06:00:00Z",
          "details": "ECOVACS released firmware version 1.36.187.",
          "product_ids": [
            "CSAFPID-0057"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.49.0.",
          "product_ids": [
            "CSAFPID-0040"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.49.0.",
          "product_ids": [
            "CSAFPID-0041"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.70.0.",
          "product_ids": [
            "CSAFPID-0042"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.70.0.",
          "product_ids": [
            "CSAFPID-0043"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.38.0.",
          "product_ids": [
            "CSAFPID-0045"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.38.0.",
          "product_ids": [
            "CSAFPID-0044"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.93.0.",
          "product_ids": [
            "CSAFPID-0014"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.93.0.",
          "product_ids": [
            "CSAFPID-0015"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.95.0.",
          "product_ids": [
            "CSAFPID-0016"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.95.0.",
          "product_ids": [
            "CSAFPID-0017"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "none_available",
          "details": "Unknown.",
          "product_ids": [
            "CSAFPID-0004"
          ]
        },
        {
          "category": "none_available",
          "details": "Unknown.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-30T06:00:00Z",
          "details": "ECOVACS released firmware version 1.36.187.",
          "product_ids": [
            "CSAFPID-0054"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-30T06:00:00Z",
          "details": "ECOVACS released firmware version 1.36.187.",
          "product_ids": [
            "CSAFPID-0055"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-30T06:00:00Z",
          "details": "ECOVACS released firmware version 1.2.120.",
          "product_ids": [
            "CSAFPID-0058"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-30T06:00:00Z",
          "details": "ECOVACS released firmware version 1.2.120.",
          "product_ids": [
            "CSAFPID-0059"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.76.6.",
          "product_ids": [
            "CSAFPID-0037"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.76.6.",
          "product_ids": [
            "CSAFPID-0036"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.81.10.",
          "product_ids": [
            "CSAFPID-0034"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.81.10.",
          "product_ids": [
            "CSAFPID-0035"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.17.0.",
          "product_ids": [
            "CSAFPID-0046"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "vendor_fix",
          "date": "2024-11-19T06:00:00Z",
          "details": "ECOVACS released firmware version 1.17.0.",
          "product_ids": [
            "CSAFPID-0047"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"
        },
        {
          "category": "none_available",
          "details": "Unknown.",
          "product_ids": [
            "CSAFPID-0005"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.6,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0052",
            "CSAFPID-0056",
            "CSAFPID-0040",
            "CSAFPID-0042",
            "CSAFPID-0045",
            "CSAFPID-0014",
            "CSAFPID-0016",
            "CSAFPID-0054",
            "CSAFPID-0058",
            "CSAFPID-0037",
            "CSAFPID-0034",
            "CSAFPID-0046"
          ]
        }
      ],
      "title": "ECOVACS robot lawnmowers and vacuums command injection"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Braelynn Luedtke"
          ]
        },
        {
          "names": [
            "Dennis Giese"
          ]
        }
      ],
      "cve": "CVE-2024-52328",
      "cwe": {
        "id": "CWE-732",
        "name": "Incorrect Permission Assignment for Critical Resource"
      },
      "notes": [
        {
          "category": "summary",
          "text": "ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:P/2024-11-21T21:44:10Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0062"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
        },
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        }
      ],
      "release_date": "2023-12-27T00:00:00Z",
      "remediations": [
        {
          "category": "none_available",
          "details": "Any ECOVACS robot with a camera is likely to be affected.",
          "product_ids": [
            "CSAFPID-0062"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 2.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0062"
          ]
        }
      ],
      "title": "ECOVACS lawnmowers and vacuums insecurely store audio warning files"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Giese"
          ]
        },
        {
          "names": [
            "Braelynn Luedtke"
          ]
        }
      ],
      "cve": "CVE-2024-52329",
      "cwe": {
        "id": "CWE-295",
        "name": "Improper Certificate Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:T/2025-01-16T20:12:16Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0048"
        ],
        "known_affected": [
          "CSAFPID-0049"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
        },
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        },
        {
          "category": "external",
          "summary": "www.ecovacs.com",
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        }
      ],
      "release_date": "2023-12-27T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS released version 3.0.0 of the ECOVACS HOME app. ECOVACS may have updated plugins for specific robots.",
          "product_ids": [
            "CSAFPID-0048"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS released version 3.0.0 of the ECOVACS HOME app. ECOVACS may have updated plugins for specific robots.",
          "product_ids": [
            "CSAFPID-0049"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0049"
          ]
        }
      ],
      "title": "ECOVACS HOME mobile app plugins do not properly validate TLS certificates"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Giese"
          ]
        },
        {
          "names": [
            "Braelynn Luedtke"
          ]
        }
      ],
      "cve": "CVE-2024-52330",
      "cwe": {
        "id": "CWE-295",
        "name": "Improper Certificate Validation"
      },
      "notes": [
        {
          "category": "summary",
          "text": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:T/2024-11-22T17:08:48Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0044",
          "CSAFPID-0043",
          "CSAFPID-0041",
          "CSAFPID-0036",
          "CSAFPID-0033",
          "CSAFPID-0018",
          "CSAFPID-0028",
          "CSAFPID-0020",
          "CSAFPID-0010",
          "CSAFPID-0009",
          "CSAFPID-0047",
          "CSAFPID-0060",
          "CSAFPID-0038",
          "CSAFPID-0035",
          "CSAFPID-0023",
          "CSAFPID-0026",
          "CSAFPID-0024",
          "CSAFPID-0030",
          "CSAFPID-0012",
          "CSAFPID-0007"
        ],
        "known_affected": [
          "CSAFPID-0045",
          "CSAFPID-0042",
          "CSAFPID-0040",
          "CSAFPID-0037",
          "CSAFPID-0032",
          "CSAFPID-0019",
          "CSAFPID-0029",
          "CSAFPID-0021",
          "CSAFPID-0011",
          "CSAFPID-0008",
          "CSAFPID-0046",
          "CSAFPID-0061",
          "CSAFPID-0039",
          "CSAFPID-0034",
          "CSAFPID-0022",
          "CSAFPID-0027",
          "CSAFPID-0025",
          "CSAFPID-0031",
          "CSAFPID-0013",
          "CSAFPID-0006"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
        },
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        },
        {
          "category": "external",
          "summary": "www.ecovacs.com",
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        }
      ],
      "release_date": "2023-12-27T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.38.0.",
          "product_ids": [
            "CSAFPID-0044"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.38.0.",
          "product_ids": [
            "CSAFPID-0045"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.70.0.",
          "product_ids": [
            "CSAFPID-0043"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.70.0.",
          "product_ids": [
            "CSAFPID-0042"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.49.0.",
          "product_ids": [
            "CSAFPID-0040"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.49.0.",
          "product_ids": [
            "CSAFPID-0041"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.76.6.",
          "product_ids": [
            "CSAFPID-0036"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.76.6.",
          "product_ids": [
            "CSAFPID-0037"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.4.41.",
          "product_ids": [
            "CSAFPID-0032"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.4.41.",
          "product_ids": [
            "CSAFPID-0033"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.7.3.",
          "product_ids": [
            "CSAFPID-0018"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.7.3.",
          "product_ids": [
            "CSAFPID-0019"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.5.31.",
          "product_ids": [
            "CSAFPID-0028"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.5.31.",
          "product_ids": [
            "CSAFPID-0029"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.4.42.",
          "product_ids": [
            "CSAFPID-0020"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.4.42.",
          "product_ids": [
            "CSAFPID-0021"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.7.5.",
          "product_ids": [
            "CSAFPID-0010"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.7.5.",
          "product_ids": [
            "CSAFPID-0011"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.9.0.",
          "product_ids": [
            "CSAFPID-0008"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.9.0.",
          "product_ids": [
            "CSAFPID-0009"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.17.0.",
          "product_ids": [
            "CSAFPID-0046"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.17.0.",
          "product_ids": [
            "CSAFPID-0047"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.44.18.",
          "product_ids": [
            "CSAFPID-0060"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.44.18.",
          "product_ids": [
            "CSAFPID-0061"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.76.6.",
          "product_ids": [
            "CSAFPID-0038"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.76.6.",
          "product_ids": [
            "CSAFPID-0039"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.81.10.",
          "product_ids": [
            "CSAFPID-0034"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.81.10.",
          "product_ids": [
            "CSAFPID-0035"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.4.41.",
          "product_ids": [
            "CSAFPID-0022"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.4.41.",
          "product_ids": [
            "CSAFPID-0023"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.4.41.",
          "product_ids": [
            "CSAFPID-0026"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 2.4.41.",
          "product_ids": [
            "CSAFPID-0027"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.7.3.",
          "product_ids": [
            "CSAFPID-0024"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.7.3.",
          "product_ids": [
            "CSAFPID-0025"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.23.0.",
          "product_ids": [
            "CSAFPID-0030"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.23.0.",
          "product_ids": [
            "CSAFPID-0031"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.10.0.",
          "product_ids": [
            "CSAFPID-0012"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.10.0.",
          "product_ids": [
            "CSAFPID-0013"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.7.5.",
          "product_ids": [
            "CSAFPID-0006"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS has released firmware version 1.7.5.",
          "product_ids": [
            "CSAFPID-0007"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0045",
            "CSAFPID-0042",
            "CSAFPID-0040",
            "CSAFPID-0037",
            "CSAFPID-0032",
            "CSAFPID-0019",
            "CSAFPID-0029",
            "CSAFPID-0021",
            "CSAFPID-0011",
            "CSAFPID-0008",
            "CSAFPID-0046",
            "CSAFPID-0061",
            "CSAFPID-0039",
            "CSAFPID-0034",
            "CSAFPID-0022",
            "CSAFPID-0027",
            "CSAFPID-0025",
            "CSAFPID-0031",
            "CSAFPID-0013",
            "CSAFPID-0006"
          ]
        }
      ],
      "title": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Giese"
          ]
        },
        {
          "names": [
            "Braelynn Luedtke"
          ]
        }
      ],
      "cve": "CVE-2024-52331",
      "cwe": {
        "id": "CWE-494",
        "name": "Download of Code Without Integrity Check"
      },
      "notes": [
        {
          "category": "summary",
          "text": "ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:T/2024-11-22T17:18:33Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0062"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html"
        },
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        }
      ],
      "release_date": "2023-12-27T00:00:00Z",
      "remediations": [
        {
          "category": "none_available",
          "details": "Unknown.",
          "product_ids": [
            "CSAFPID-0062"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0062"
          ]
        }
      ],
      "title": "ECOVACS lawnmowers and vacuums deterministic firmware encryption key"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Giese"
          ]
        },
        {
          "names": [
            "Braelynn Luedtke"
          ]
        }
      ],
      "cve": "CVE-2024-11147",
      "cwe": {
        "id": "CWE-798",
        "name": "Use of Hard-coded Credentials"
      },
      "notes": [
        {
          "category": "summary",
          "text": "ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:T/2024-11-25T16:55:39Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0062"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
        },
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        },
        {
          "category": "external",
          "summary": "builder.dontvacuum.me",
          "url": "https://builder.dontvacuum.me/ecopassword.php"
        }
      ],
      "release_date": "2023-12-27T00:00:00Z",
      "remediations": [
        {
          "category": "none_available",
          "details": "Unknown.",
          "product_ids": [
            "CSAFPID-0062"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0062"
          ]
        }
      ],
      "title": "ECOVACS lawnmowers and vacuums deterministic root password"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Giese"
          ]
        },
        {
          "names": [
            "Braelynn Luedtke"
          ]
        }
      ],
      "cve": "CVE-2024-12078",
      "cwe": {
        "id": "CWE-321",
        "name": "Use of Hard-coded Cryptographic Key"
      },
      "notes": [
        {
          "category": "summary",
          "text": "ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:P/2025-01-23T00:08:15Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0062"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        },
        {
          "category": "external",
          "summary": "youtu.be",
          "url": "https://youtu.be/_wUsM0Mlenc?t=2041"
        }
      ],
      "release_date": "2023-12-27T00:00:00Z",
      "remediations": [
        {
          "category": "none_available",
          "details": "Unknown.",
          "product_ids": [
            "CSAFPID-0062"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0062"
          ]
        }
      ],
      "title": "ECOVACS lawnmowers and vacuums static BLE GATT encryption key"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Giese"
          ]
        },
        {
          "names": [
            "Braelynn Luedtke"
          ]
        }
      ],
      "cve": "CVE-2024-12079",
      "cwe": {
        "id": "CWE-312",
        "name": "Cleartext Storage of Sensitive Information"
      },
      "notes": [
        {
          "category": "summary",
          "text": "ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:P/2025-01-23T00:29:20Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0062"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        }
      ],
      "release_date": "2023-12-27T00:00:00Z",
      "remediations": [
        {
          "category": "none_available",
          "details": "Unknown.",
          "product_ids": [
            "CSAFPID-0062"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0062"
          ]
        }
      ],
      "title": "ECOVACS lawnmowers cleartext storage of anti-theft PIN"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Dennis Giese"
          ]
        },
        {
          "names": [
            "Braelynn Luedtke"
          ]
        }
      ],
      "cve": "CVE-2024-52327",
      "cwe": {
        "id": "CWE-603",
        "name": "Use of Client-Side Authentication"
      },
      "notes": [
        {
          "category": "summary",
          "text": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:N/T:P/2025-01-15T20:26:52Z/",
          "title": "SSVC"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-0051",
          "CSAFPID-0003"
        ],
        "known_affected": [
          "CSAFPID-0050",
          "CSAFPID-0002"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
        },
        {
          "category": "external",
          "summary": "dontvacuum.me",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        },
        {
          "category": "external",
          "summary": "www.ecovacs.com",
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
        }
      ],
      "release_date": "2023-12-27T00:00:00Z",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS updated the cloud service and ECOVACS HOME mobile apps.",
          "product_ids": [
            "CSAFPID-0050"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS updated the cloud service and ECOVACS HOME mobile apps.",
          "product_ids": [
            "CSAFPID-0051"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS updated the cloud service and ECOVACS HOME mobile apps.",
          "product_ids": [
            "CSAFPID-0002"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
        },
        {
          "category": "vendor_fix",
          "date": "2024-12-17T06:00:00Z",
          "details": "ECOVACS updated the cloud service and ECOVACS HOME mobile apps.",
          "product_ids": [
            "CSAFPID-0003"
          ],
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0050",
            "CSAFPID-0002"
          ]
        }
      ],
      "title": "ECOVACS lawnmower and vacuum cloud service live video PIN bypass"
    }
  ]
}

fkie_cve-2024-52330

Vulnerability from fkie_nvd

Published

2025-01-23 17:15

Modified

2025-09-23 17:48

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

References

URL	Tags
9119a7d8-5eab-497f-8521-727c672e3725	https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf	Exploit, Third Party Advisory
9119a7d8-5eab-497f-8521-727c672e3725	https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf	Exploit, Third Party Advisory
9119a7d8-5eab-497f-8521-727c672e3725	https://www.ecovacs.com/global/userhelp/dsa20241217001	Vendor Advisory

Impacted products

Vendor	Product	Version
ecovacs	deebot_x2_omni_firmware	*
ecovacs	deebot_x2_omni	-
ecovacs	deebot_x2_combo_firmware	*
ecovacs	deebot_x2_combo	-
ecovacs	deebot_x2s_firmware	*
ecovacs	deebot_x2s	-
ecovacs	deebot_x5_pro_firmware	*
ecovacs	deebot_x5_pro	-
ecovacs	deebot_x5_pro_plus_firmware	*
ecovacs	deebot_x5_pro_plus	-
ecovacs	deebot_x5_pro_ultra_firmware	*
ecovacs	deebot_x5_pro_ultra	-
ecovacs	mate_x_firmware	*
ecovacs	mate_x	-
ecovacs	deebot_x1_omni_firmware	*
ecovacs	deebot_x1_omni	-
ecovacs	deebot_x1_turbo_firmware	*
ecovacs	deebot_x1_turbo	-
ecovacs	deebot_x1_pro_omni_firmware	*
ecovacs	deebot_x1_pro_omni	-
ecovacs	deebot_x1_firmware	*
ecovacs	deebot_x1	-
ecovacs	deebot_x1_plus_firmware	*
ecovacs	deebot_x1_plus	-
ecovacs	deebot_x1s_pro_firmware	*
ecovacs	deebot_x1s_pro	-
ecovacs	deebot_x1s_pro_plus_firmware	*
ecovacs	deebot_x1s_pro_plus	-
ecovacs	deebot_x1e_omni_firmware	*
ecovacs	deebot_x1e_omni	-
ecovacs	deebot_t10_turbo_firmware	*
ecovacs	deebot_t10_turbo	-
ecovacs	deebot_t10_plus_firmware	*
ecovacs	deebot_t10_plus	-
ecovacs	deebot_t10_firmware	*
ecovacs	deebot_t10	-
ecovacs	deebot_t10_omni_firmware	*
ecovacs	deebot_t10_omni	-
ecovacs	deebot_x2_pro_firmware	*
ecovacs	deebot_x2_pro	-

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x2_omni_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DFBAD9FC-1343-4D07-99E6-9E7C3D77C694",
              "versionEndExcluding": "1.76.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x2_omni:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "9BD94283-0BC1-4C7C-A5F3-9D57E44B4C64",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x2_combo_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DAF98AFD-C399-4AB8-A637-29561F39F134",
              "versionEndExcluding": "1.81.10",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x2_combo:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "2C12633C-1BD2-4BF6-BF11-FC05221B93EB",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x2s_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "969D4A03-B499-4218-BF07-22E51654AA6C",
              "versionEndExcluding": "1.49.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x2s:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "11AA1D51-EE29-4252-A739-1F1D4A3F428D",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x5_pro_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B819C9B-F143-4A63-825C-B1DF1DCB16B7",
              "versionEndExcluding": "1.70.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x5_pro:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "64AB781B-CB28-4229-A74D-8CDD325EFAC3",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x5_pro_plus_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F61F40B-6031-4C32-9571-B92C3377EFB2",
              "versionEndExcluding": "1.38.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x5_pro_plus:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "CFE49BE7-59E8-4447-B78B-4FEDF4F773CD",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x5_pro_ultra_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9C4821F3-3B7D-4035-980F-C11713C5D424",
              "versionEndExcluding": "1.17.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x5_pro_ultra:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "8504979A-A4F0-4A03-8816-E9AB3BD6F40B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:mate_x_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C4EC5E7-04E3-497C-ACD9-2479C48A2FC4",
              "versionEndExcluding": "1.44.18",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:mate_x:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "706F2C75-0E75-487B-BA24-EB824E6BC16B",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x1_omni_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8F75A470-5B86-41C6-86E2-232656AF68F9",
              "versionEndExcluding": "2.4.41",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x1_omni:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "91E23E30-45BE-4142-8E9C-032282F3B6A6",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x1_turbo_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0F868AC3-7B87-44E5-A7B0-F2C85DCA7E7C",
              "versionEndExcluding": "2.4.41",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x1_turbo:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "65F69609-1D21-461A-9457-A745194759CD",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x1_pro_omni_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B044584-55B4-4E88-99C9-9A48D9B4E908",
              "versionEndExcluding": "2.4.41",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x1_pro_omni:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "003B54E0-B2FF-485A-9A55-925609EE8DF1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x1_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4AE87B2E-A1B1-438E-9482-E8466647050B",
              "versionEndExcluding": "1.7.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x1:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4DA0B484-221F-4E67-927F-DBCBBC1F6448",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x1_plus_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7DC2AA81-5895-43EE-8B34-D8074DDD301F",
              "versionEndExcluding": "1.7.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x1_plus:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C5586D60-D87F-45A1-8619-F6CC12AD9731",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x1s_pro_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "849A58E5-2700-49F4-BF60-C35E97689AE1",
              "versionEndExcluding": "2.5.31",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x1s_pro:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "037628A9-DD54-4A4B-97A9-78142B76E91E",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x1s_pro_plus_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7526B614-1962-490C-8972-2A275A471A86",
              "versionEndExcluding": "1.23.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x1s_pro_plus:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4612A790-C3CC-40AA-8E31-2C2918C6AB6C",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x1e_omni_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "67C721A5-53B6-4B15-A76C-481EF4C45147",
              "versionEndExcluding": "2.4.42",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x1e_omni:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "16705AA3-4CAE-4BF5-8084-6A6CB30A1E8C",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_t10_turbo_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "454C233D-82D5-4B99-AC3A-94B1CF23F078",
              "versionEndExcluding": "1.10.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_t10_turbo:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "85DEFE0B-99F7-49DF-96E3-69B6FC1EF262",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_t10_plus_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "79E44970-1ADF-4170-A09A-F64F02E27C64",
              "versionEndExcluding": "1.7.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_t10_plus:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1CBAA124-1B4C-4E75-80E1-A747AC9183E1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_t10_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4CA98740-BA9B-4479-B92F-F76B1234D2FE",
              "versionEndExcluding": "1.7.5",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_t10:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "318C962D-54C2-456E-A045-1332A02958E9",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_t10_omni_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B843C490-26E9-4D03-8BCB-DBC462833D12",
              "versionEndExcluding": "1.9.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_t10_omni:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "11395F70-87C2-41DD-9D9A-CFA8D0512ECE",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:ecovacs:deebot_x2_pro_firmware:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F3F737D6-74BD-47F8-88B7-045E8B280E46",
              "versionEndExcluding": "1.76.6",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:ecovacs:deebot_x2_pro:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "C98FE3FD-E432-4DD7-AF87-6FBA4C4ABC45",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates."
    },
    {
      "lang": "es",
      "value": "Las cortadoras de c\u00e9sped y las aspiradoras ECOVACS no validan correctamente los certificados TLS. Un atacante no autenticado puede leer o modificar el tr\u00e1fico TLS, posiblemente modificando las actualizaciones de firmware."
    }
  ],
  "id": "CVE-2024-52330",
  "lastModified": "2025-09-23T17:48:33.127",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2,
        "source": "9119a7d8-5eab-497f-8521-727c672e3725",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.5,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "9119a7d8-5eab-497f-8521-727c672e3725",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-23T17:15:14.427",
  "references": [
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
    },
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
    },
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
    }
  ],
  "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-52330 (GCVE-0-2024-52330)

Vulnerability from cvelistv5

ghsa-m998-32q9-vxpx

Vulnerability from github

va-25-022-01

Vulnerability from csaf_cisa

fkie_cve-2024-52330

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature