CVE-2024-52330

Critical CVSS: 9.5

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

Vendor

Ecovacs

Product

Deebot X2 Omni Firmware

CWE

CWE-295

Yayın Tarihi

2025-01-23 17:15:14

Güncelleme

2025-09-23 17:48:33

Source Identifier

9119a7d8-5eab-497f-8521-727c672e3725

KEV Date Added

Kategoriler

CWE-295 Deebot X2 Omni Firmware CRITICAL Ecovacs 2025

Referanslar

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf https://www.ecovacs.com/global/userhelp/dsa20241217001

Benzer Kayıtlar

Low

CVE-2025-30198

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which c…

High

CVE-2025-30199

ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to ba…

Low

CVE-2025-30200

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption ke…

Low

CVE-2024-52328

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker wi…

Critical

CVE-2024-52329

ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attack…

High

CVE-2024-52331

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can crea…