Search criteria
4 vulnerabilities found for ECOVACS HOME by ECOVACS
CVE-2024-52329 (GCVE-0-2024-52329)
Vulnerability from nvd – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
VLAI?
Title
ECOVACS HOME mobile app plugins do not properly validate TLS certificates
Summary
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
Severity ?
7.4 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ECOVACS | ECOVACS HOME |
Unaffected:
3.0.0
Affected: 0 , < 3.0.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52329",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T16:56:47.220852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:29.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ECOVACS HOME",
"vendor": "ECOVACS",
"versions": [
{
"status": "unaffected",
"version": "3.0.0"
},
{
"lessThan": "3.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-12-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T16:36:06.533Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
},
{
"name": "url",
"url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
},
{
"name": "url",
"url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
}
],
"title": "ECOVACS HOME mobile app plugins do not properly validate TLS certificates"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-52329",
"datePublished": "2025-01-23T16:36:06.533Z",
"dateReserved": "2024-11-08T01:06:02.405Z",
"dateUpdated": "2025-02-12T20:41:29.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52327 (GCVE-0-2024-52327)
Vulnerability from nvd – Published: 2025-01-23 16:39 – Updated: 2025-02-12 20:41
VLAI?
Title
ECOVACS lawnmower and vacuum cloud service live video PIN bypass
Summary
The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ECOVACS | ECOVACS HOME |
Affected:
0 , < 3.0.2
(custom)
Unaffected: 3.0.2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52327",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T16:53:52.437051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:28.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ECOVACS HOME",
"vendor": "ECOVACS",
"versions": [
{
"lessThan": "3.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.0.2"
}
]
},
{
"defaultStatus": "unknown",
"product": "cloud service",
"vendor": "ECOVACS",
"versions": [
{
"lessThan": "2024-12-17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2024-12-17"
}
]
}
],
"datePublic": "2023-12-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-603",
"description": "CWE-603 Use of Client-Side Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T16:39:27.516Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
},
{
"name": "url",
"url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
},
{
"name": "url",
"url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
}
],
"title": "ECOVACS lawnmower and vacuum cloud service live video PIN bypass"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-52327",
"datePublished": "2025-01-23T16:39:27.516Z",
"dateReserved": "2024-11-08T01:06:02.404Z",
"dateUpdated": "2025-02-12T20:41:28.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52327 (GCVE-0-2024-52327)
Vulnerability from cvelistv5 – Published: 2025-01-23 16:39 – Updated: 2025-02-12 20:41
VLAI?
Title
ECOVACS lawnmower and vacuum cloud service live video PIN bypass
Summary
The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| ECOVACS | ECOVACS HOME |
Affected:
0 , < 3.0.2
(custom)
Unaffected: 3.0.2 |
|||||||
|
|||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52327",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T16:53:52.437051Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:28.703Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ECOVACS HOME",
"vendor": "ECOVACS",
"versions": [
{
"lessThan": "3.0.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "3.0.2"
}
]
},
{
"defaultStatus": "unknown",
"product": "cloud service",
"vendor": "ECOVACS",
"versions": [
{
"lessThan": "2024-12-17",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "2024-12-17"
}
]
}
],
"datePublic": "2023-12-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-603",
"description": "CWE-603 Use of Client-Side Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-807",
"description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T16:39:27.516Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
},
{
"name": "url",
"url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
},
{
"name": "url",
"url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
}
],
"title": "ECOVACS lawnmower and vacuum cloud service live video PIN bypass"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-52327",
"datePublished": "2025-01-23T16:39:27.516Z",
"dateReserved": "2024-11-08T01:06:02.404Z",
"dateUpdated": "2025-02-12T20:41:28.703Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-52329 (GCVE-0-2024-52329)
Vulnerability from cvelistv5 – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
VLAI?
Title
ECOVACS HOME mobile app plugins do not properly validate TLS certificates
Summary
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
Severity ?
7.4 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ECOVACS | ECOVACS HOME |
Unaffected:
3.0.0
Affected: 0 , < 3.0.0 (custom) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52329",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-23T16:56:47.220852Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-12T20:41:29.110Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "ECOVACS HOME",
"vendor": "ECOVACS",
"versions": [
{
"status": "unaffected",
"version": "3.0.0"
},
{
"lessThan": "3.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"datePublic": "2023-12-27T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.5,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"baseScore": 7.4,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-23T16:36:06.533Z",
"orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"shortName": "cisa-cg"
},
"references": [
{
"name": "url",
"url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
},
{
"name": "url",
"url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
},
{
"name": "url",
"url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
}
],
"title": "ECOVACS HOME mobile app plugins do not properly validate TLS certificates"
}
},
"cveMetadata": {
"assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
"assignerShortName": "cisa-cg",
"cveId": "CVE-2024-52329",
"datePublished": "2025-01-23T16:36:06.533Z",
"dateReserved": "2024-11-08T01:06:02.405Z",
"dateUpdated": "2025-02-12T20:41:29.110Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}