← back
CVE-2024-52330

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates

CVSS 9.5 CRITICALEPSS 0.3%CWE-295
Vexday Risk Score
28Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 9.5EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
23 Jan 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H
Affected products
ECOVACS · DEEBOT T10ECOVACS · DEEBOT T10 OMNIECOVACS · DEEBOT T10 PLUSECOVACS · DEEBOT T10 TURBOECOVACS · DEEBOT X1ECOVACS · DEEBOT X1e OMNIECOVACS · DEEBOT X1 OMNIECOVACS · DEEBOT X1 PLUSECOVACS · DEEBOT X1 PRO OMNIECOVACS · DEEBOT X1S PROECOVACS · DEEBOT X1S PRO PLUSECOVACS · DEEBOT X1 TURBOECOVACS · DEEBOT X2 COMBOECOVACS · DEEBOT X2 OMNIECOVACS · DEEBOT X2 PROECOVACS · DEEBOT X2SECOVACS · DEEBOT X5 PROECOVACS · DEEBOT X5 PRO PLUSECOVACS · DEEBOT X5 PRO ULTRAECOVACS · Mate X

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdfhttps://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdfhttps://www.ecovacs.com/global/userhelp/dsa20241217001