Search

Find a vulnerability

Search criteria

    8 vulnerabilities found for deebot_t10_turbo_firmware by ecovacs

    CVE-2025-30200 (GCVE-0-2025-30200)

    Vulnerability from nvd – Published: 2025-09-05 17:43 – Updated: 2025-09-08 18:22
    VLAI
    Title
    ECOVACS Vacuum and Base Station Hard-Coded AES Encryption
    Summary
    ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Date Public
    2025-07-09 00:00
    Credits
    Dennis Giese, undefined Braelynn Luedtke, undefined Chris Anderson, undefined
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30200",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T18:22:11.344266Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T18:22:21.457Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T20 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T30 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Dennis Giese, undefined"
            },
            {
              "lang": "en",
              "value": "Braelynn Luedtke, undefined"
            },
            {
              "lang": "en",
              "value": "Chris Anderson, undefined"
            }
          ],
          "datePublic": "2025-07-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "ADJACENT",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-30200",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2025-09-08T18:11:07.109909Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T18:11:26.081Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-135-19"
            },
            {
              "name": "url",
              "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-135-19.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-30200"
            }
          ],
          "title": "ECOVACS Vacuum and Base Station Hard-Coded AES Encryption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-30200",
        "datePublished": "2025-09-05T17:43:20.802Z",
        "dateReserved": "2025-03-18T15:53:26.926Z",
        "dateUpdated": "2025-09-08T18:22:21.457Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30199 (GCVE-0-2025-30199)

    Vulnerability from nvd – Published: 2025-09-05 17:45 – Updated: 2025-09-08 18:21
    VLAI
    Title
    ECOVACS Vacuum and Base Station accept unsigned firmware
    Summary
    ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    Assigner
    Date Public
    2025-07-09 00:00
    Credits
    Dennis Giese, undefined Braelynn Luedtke, undefined Chris Anderson, undefined
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30199",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T18:20:48.723390Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T18:21:06.626Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T20 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T30 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Dennis Giese, undefined"
            },
            {
              "lang": "en",
              "value": "Braelynn Luedtke, undefined"
            },
            {
              "lang": "en",
              "value": "Chris Anderson, undefined"
            }
          ],
          "datePublic": "2025-07-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-30199",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "total"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2025-09-08T18:09:57.869806Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "CWE-494 Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T18:10:36.047Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-135-19"
            },
            {
              "name": "url",
              "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-135-19.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-30199"
            }
          ],
          "title": "ECOVACS Vacuum and Base Station accept unsigned firmware"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-30199",
        "datePublished": "2025-09-05T17:45:07.227Z",
        "dateReserved": "2025-03-18T15:53:08.738Z",
        "dateUpdated": "2025-09-08T18:21:06.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30198 (GCVE-0-2025-30198)

    Vulnerability from nvd – Published: 2025-09-05 17:45 – Updated: 2025-09-08 18:20
    VLAI
    Title
    ECOVACS Vacuum and Base Station Hard-Coded WPA2-PSK
    Summary
    ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Date Public
    2025-07-09 00:00
    Credits
    Dennis Giese, undefined Braelynn Luedtke, undefined Chris Anderson, undefined
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30198",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T18:20:11.799443Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T18:20:26.088Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T20 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T30 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Dennis Giese, undefined"
            },
            {
              "lang": "en",
              "value": "Braelynn Luedtke, undefined"
            },
            {
              "lang": "en",
              "value": "Chris Anderson, undefined"
            }
          ],
          "datePublic": "2025-07-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "ADJACENT",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-30198",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2025-09-08T18:08:40.565084Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T18:09:16.263Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-135-19"
            },
            {
              "name": "url",
              "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-135-19.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-30198"
            }
          ],
          "title": "ECOVACS Vacuum and Base Station Hard-Coded WPA2-PSK"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-30198",
        "datePublished": "2025-09-05T17:45:36.945Z",
        "dateReserved": "2025-03-18T15:52:43.925Z",
        "dateUpdated": "2025-09-08T18:20:26.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52330 (GCVE-0-2024-52330)

    Vulnerability from nvd – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmowers and vacuums do not properly validate TLS certificates
    Summary
    ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS DEEBOT X5 PRO PLUS Unaffected: 1.38.0
    Affected: 0 , < 1.38.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X5 PRO Unaffected: 1.70.0
    Affected: 0 , < 1.70.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2S Affected: 0 , < 1.49.0 (custom)
    Unaffected: 1.49.0
    Create a notification for this product.
    ECOVACS DEEBOT X2 OMNI Unaffected: 1.76.6
    Affected: 0 , < 1.76.6 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1 TURBO Affected: 0 , < 2.4.41 (custom)
    Unaffected: 2.4.41
    Create a notification for this product.
    ECOVACS DEEBOT X1 Unaffected: 1.7.3
    Affected: 0 , < 1.7.3 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1S PRO Unaffected: 2.5.31
    Affected: 0 , < 2.5.31 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1e OMNI Unaffected: 2.4.42
    Affected: 0 , < 2.4.42 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 PLUS Unaffected: 1.7.5
    Affected: 0 , < 1.7.5 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 OMNI Affected: 0 , < 1.9.0 (custom)
    Unaffected: 1.9.0
    Create a notification for this product.
    ECOVACS DEEBOT X5 PRO ULTRA Affected: 0 , < 1.17.0 (custom)
    Unaffected: 1.17.0
    Create a notification for this product.
    ECOVACS Mate X Unaffected: 1.44.18
    Affected: 0 , < 1.44.18 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2 PRO Unaffected: 1.76.6
    Affected: 0 , < 1.76.6 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2 COMBO Affected: 0 , < 1.81.10 (custom)
    Unaffected: 1.81.10
    Create a notification for this product.
    ECOVACS DEEBOT X1 OMNI Affected: 0 , < 2.4.41 (custom)
    Unaffected: 2.4.41
    Create a notification for this product.
    ECOVACS DEEBOT X1 PRO OMNI Unaffected: 2.4.41
    Affected: 0 , < 2.4.41 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1 PLUS Unaffected: 1.7.3
    Affected: 0 , < 1.7.3 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1S PRO PLUS Unaffected: 1.23.0
    Affected: 0 , < 1.23.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 TURBO Unaffected: 1.10.0
    Affected: 0 , < 1.10.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 Affected: 0 , < 1.7.5 (custom)
    Unaffected: 1.7.5
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52330",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:31.855219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.969Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.38.0"
                },
                {
                  "lessThan": "1.38.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.70.0"
                },
                {
                  "lessThan": "1.70.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2S",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.49.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.49.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2  OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.76.6"
                },
                {
                  "lessThan": "1.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 TURBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.3"
                },
                {
                  "lessThan": "1.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1S PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.5.31"
                },
                {
                  "lessThan": "2.5.31",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1e OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.4.42"
                },
                {
                  "lessThan": "2.4.42",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.5"
                },
                {
                  "lessThan": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.9.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO ULTRA",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.17.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.17.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "Mate X",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.44.18"
                },
                {
                  "lessThan": "1.44.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2 PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.76.6"
                },
                {
                  "lessThan": "1.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2 COMBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.81.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.81.10"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 PRO OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                },
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.3"
                },
                {
                  "lessThan": "1.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1S PRO PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.23.0"
                },
                {
                  "lessThan": "1.23.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 TURBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.10.0"
                },
                {
                  "lessThan": "1.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.7.5"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:36:50.128Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52330",
        "datePublished": "2025-01-23T16:36:50.128Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-02-12T20:41:28.969Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30198 (GCVE-0-2025-30198)

    Vulnerability from cvelistv5 – Published: 2025-09-05 17:45 – Updated: 2025-09-08 18:20
    VLAI
    Title
    ECOVACS Vacuum and Base Station Hard-Coded WPA2-PSK
    Summary
    ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Date Public
    2025-07-09 00:00
    Credits
    Dennis Giese, undefined Braelynn Luedtke, undefined Chris Anderson, undefined
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30198",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T18:20:11.799443Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T18:20:26.088Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T20 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T30 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Dennis Giese, undefined"
            },
            {
              "lang": "en",
              "value": "Braelynn Luedtke, undefined"
            },
            {
              "lang": "en",
              "value": "Chris Anderson, undefined"
            }
          ],
          "datePublic": "2025-07-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "ADJACENT",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-30198",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2025-09-08T18:08:40.565084Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T18:09:16.263Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-135-19"
            },
            {
              "name": "url",
              "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-135-19.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-30198"
            }
          ],
          "title": "ECOVACS Vacuum and Base Station Hard-Coded WPA2-PSK"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-30198",
        "datePublished": "2025-09-05T17:45:36.945Z",
        "dateReserved": "2025-03-18T15:52:43.925Z",
        "dateUpdated": "2025-09-08T18:20:26.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30199 (GCVE-0-2025-30199)

    Vulnerability from cvelistv5 – Published: 2025-09-05 17:45 – Updated: 2025-09-08 18:21
    VLAI
    Title
    ECOVACS Vacuum and Base Station accept unsigned firmware
    Summary
    ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    Assigner
    Date Public
    2025-07-09 00:00
    Credits
    Dennis Giese, undefined Braelynn Luedtke, undefined Chris Anderson, undefined
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30199",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T18:20:48.723390Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T18:21:06.626Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T20 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T30 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Dennis Giese, undefined"
            },
            {
              "lang": "en",
              "value": "Braelynn Luedtke, undefined"
            },
            {
              "lang": "en",
              "value": "Chris Anderson, undefined"
            }
          ],
          "datePublic": "2025-07-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "privilegesRequired": "HIGH",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-30199",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "total"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2025-09-08T18:09:57.869806Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "CWE-494 Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T18:10:36.047Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-135-19"
            },
            {
              "name": "url",
              "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-135-19.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-30199"
            }
          ],
          "title": "ECOVACS Vacuum and Base Station accept unsigned firmware"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-30199",
        "datePublished": "2025-09-05T17:45:07.227Z",
        "dateReserved": "2025-03-18T15:53:08.738Z",
        "dateUpdated": "2025-09-08T18:21:06.626Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-30200 (GCVE-0-2025-30200)

    Vulnerability from cvelistv5 – Published: 2025-09-05 17:43 – Updated: 2025-09-08 18:22
    VLAI
    Title
    ECOVACS Vacuum and Base Station Hard-Coded AES Encryption
    Summary
    ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Date Public
    2025-07-09 00:00
    Credits
    Dennis Giese, undefined Braelynn Luedtke, undefined Chris Anderson, undefined
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-30200",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-09-08T18:22:11.344266Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-09-08T18:22:21.457Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T20 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T30 Series",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Dennis Giese, undefined"
            },
            {
              "lang": "en",
              "value": "Braelynn Luedtke, undefined"
            },
            {
              "lang": "en",
              "value": "Chris Anderson, undefined"
            }
          ],
          "datePublic": "2025-07-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "ADJACENT",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "other": {
                "content": {
                  "id": "CVE-2025-30200",
                  "options": [
                    {
                      "Exploitation": "none"
                    },
                    {
                      "Automatable": "no"
                    },
                    {
                      "Technical Impact": "partial"
                    }
                  ],
                  "role": "CISA Coordinator",
                  "timestamp": "2025-09-08T18:11:07.109909Z",
                  "version": "2.0.3"
                },
                "type": "ssvc"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-08T18:11:26.081Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-135-19"
            },
            {
              "name": "url",
              "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-135-19.json"
            },
            {
              "name": "url",
              "url": "https://www.cve.org/CVERecord?id=CVE-2025-30200"
            }
          ],
          "title": "ECOVACS Vacuum and Base Station Hard-Coded AES Encryption"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2025-30200",
        "datePublished": "2025-09-05T17:43:20.802Z",
        "dateReserved": "2025-03-18T15:53:26.926Z",
        "dateUpdated": "2025-09-08T18:22:21.457Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52330 (GCVE-0-2024-52330)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmowers and vacuums do not properly validate TLS certificates
    Summary
    ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS DEEBOT X5 PRO PLUS Unaffected: 1.38.0
    Affected: 0 , < 1.38.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X5 PRO Unaffected: 1.70.0
    Affected: 0 , < 1.70.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2S Affected: 0 , < 1.49.0 (custom)
    Unaffected: 1.49.0
    Create a notification for this product.
    ECOVACS DEEBOT X2 OMNI Unaffected: 1.76.6
    Affected: 0 , < 1.76.6 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1 TURBO Affected: 0 , < 2.4.41 (custom)
    Unaffected: 2.4.41
    Create a notification for this product.
    ECOVACS DEEBOT X1 Unaffected: 1.7.3
    Affected: 0 , < 1.7.3 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1S PRO Unaffected: 2.5.31
    Affected: 0 , < 2.5.31 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1e OMNI Unaffected: 2.4.42
    Affected: 0 , < 2.4.42 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 PLUS Unaffected: 1.7.5
    Affected: 0 , < 1.7.5 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 OMNI Affected: 0 , < 1.9.0 (custom)
    Unaffected: 1.9.0
    Create a notification for this product.
    ECOVACS DEEBOT X5 PRO ULTRA Affected: 0 , < 1.17.0 (custom)
    Unaffected: 1.17.0
    Create a notification for this product.
    ECOVACS Mate X Unaffected: 1.44.18
    Affected: 0 , < 1.44.18 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2 PRO Unaffected: 1.76.6
    Affected: 0 , < 1.76.6 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2 COMBO Affected: 0 , < 1.81.10 (custom)
    Unaffected: 1.81.10
    Create a notification for this product.
    ECOVACS DEEBOT X1 OMNI Affected: 0 , < 2.4.41 (custom)
    Unaffected: 2.4.41
    Create a notification for this product.
    ECOVACS DEEBOT X1 PRO OMNI Unaffected: 2.4.41
    Affected: 0 , < 2.4.41 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1 PLUS Unaffected: 1.7.3
    Affected: 0 , < 1.7.3 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1S PRO PLUS Unaffected: 1.23.0
    Affected: 0 , < 1.23.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 TURBO Unaffected: 1.10.0
    Affected: 0 , < 1.10.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 Affected: 0 , < 1.7.5 (custom)
    Unaffected: 1.7.5
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52330",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:31.855219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.969Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.38.0"
                },
                {
                  "lessThan": "1.38.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.70.0"
                },
                {
                  "lessThan": "1.70.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2S",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.49.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.49.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2  OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.76.6"
                },
                {
                  "lessThan": "1.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 TURBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.3"
                },
                {
                  "lessThan": "1.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1S PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.5.31"
                },
                {
                  "lessThan": "2.5.31",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1e OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.4.42"
                },
                {
                  "lessThan": "2.4.42",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.5"
                },
                {
                  "lessThan": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.9.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO ULTRA",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.17.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.17.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "Mate X",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.44.18"
                },
                {
                  "lessThan": "1.44.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2 PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.76.6"
                },
                {
                  "lessThan": "1.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2 COMBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.81.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.81.10"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 PRO OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                },
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.3"
                },
                {
                  "lessThan": "1.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1S PRO PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.23.0"
                },
                {
                  "lessThan": "1.23.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 TURBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.10.0"
                },
                {
                  "lessThan": "1.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.7.5"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:36:50.128Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52330",
        "datePublished": "2025-01-23T16:36:50.128Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-02-12T20:41:28.969Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }