CVE-2024-52325

ECOVACS robot lawnmowers and vacuums command injection

CVSS 5.8 MEDIUMEPSS 3.0%CWE-77

ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H

Affected products

ECOVACS · DEEBOT T30 OMNI ECOVACS · DEEBOT T30S ECOVACS · DEEBOT X2 COMBO ECOVACS · DEEBOT X2 OMNI ECOVACS · DEEBOT X2S ECOVACS · DEEBOT X5 PRO ECOVACS · DEEBOT X5 PRO PLUS ECOVACS · DEEBOT X5 PRO ULTRA ECOVACS · GOAT G1 ECOVACS · GOAT G1-2000 ECOVACS · GOAT G1-800 ECOVACS · GOAT GX-600

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf https://www.ecovacs.com/global/userhelp/dsa20241119 https://www.ecovacs.com/global/userhelp/dsa20241130001 https://youtu.be/_wUsM0Mlenc?t=2041