Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for Ecovacs Mobile and Android Application by Ecovacs

    CVE-2025-2394 (GCVE-0-2025-2394)

    Vulnerability from nvd – Published: 2025-05-23 00:03 – Updated: 2025-09-30 05:50
    VLAI
    Title
    Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications
    Summary
    Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    TML
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-23T13:16:37.932318Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-23T13:16:47.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android",
                "iOS"
              ],
              "product": "Ecovacs Mobile and Android Application",
              "vendor": "Ecovacs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.3.0",
                  "versionType": "iOS, Android"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
                }
              ],
              "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T05:50:10.557Z",
            "orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
            "shortName": "TML"
          },
          "references": [
            {
              "url": "https://www.themissinglink.com.au/security-advisories/cve-2025-2394"
            },
            {
              "url": "https://www.ecovacs.com/global/userhelp/dsa20250507001"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
        "assignerShortName": "TML",
        "cveId": "CVE-2025-2394",
        "datePublished": "2025-05-23T00:03:32.603Z",
        "dateReserved": "2025-03-17T03:57:22.902Z",
        "dateUpdated": "2025-09-30T05:50:10.557Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2394 (GCVE-0-2025-2394)

    Vulnerability from cvelistv5 – Published: 2025-05-23 00:03 – Updated: 2025-09-30 05:50
    VLAI
    Title
    Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications
    Summary
    Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    TML
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-23T13:16:37.932318Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-23T13:16:47.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android",
                "iOS"
              ],
              "product": "Ecovacs Mobile and Android Application",
              "vendor": "Ecovacs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.3.0",
                  "versionType": "iOS, Android"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
                }
              ],
              "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T05:50:10.557Z",
            "orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
            "shortName": "TML"
          },
          "references": [
            {
              "url": "https://www.themissinglink.com.au/security-advisories/cve-2025-2394"
            },
            {
              "url": "https://www.ecovacs.com/global/userhelp/dsa20250507001"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
        "assignerShortName": "TML",
        "cveId": "CVE-2025-2394",
        "datePublished": "2025-05-23T00:03:32.603Z",
        "dateReserved": "2025-03-17T03:57:22.902Z",
        "dateUpdated": "2025-09-30T05:50:10.557Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }