CVE-2024-52325

Medium CVSS: 5.8

ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.

Vendor

Product

CWE

Yayın Tarihi

2025-01-23 16:15:35

Güncelleme

2025-09-23 17:35:35

Source Identifier

9119a7d8-5eab-497f-8521-727c672e3725

KEV Date Added

CWE-77 Goat G1-2000 Firmware MEDIUM Ecovacs 2025

https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf https://www.ecovacs.com/global/userhelp/dsa20241119 https://www.ecovacs.com/global/userhelp/dsa20241130001 https://youtu.be/_wUsM0Mlenc?t=2041

Low

CVE-2025-30198

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which c…

High

CVE-2025-30199

ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to ba…

Low

CVE-2025-30200

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption ke…

Low

CVE-2024-52328

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker wi…

Critical

CVE-2024-52329

ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attack…

Critical

CVE-2024-52330

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify…