Search

Find a vulnerability

Search criteria

    12 vulnerabilities found for deebot_x1_firmware by ecovacs

    CVE-2024-52331 (GCVE-0-2024-52331)

    Vulnerability from nvd – Published: 2025-01-23 16:37 – Updated: 2025-10-02 14:10
    VLAI
    Title
    ECOVACS lawnmowers and vacuums deterministic firmware encryption key
    Summary
    ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    • CWE-1391 - Use of Weak Credentials
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    Impacted products
    Date Public
    2025-01-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52331",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:55:20.382490Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.822Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2025-01-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "CWE-494 Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1391",
                  "description": "CWE-1391 Use of Weak Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T14:10:10.821Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums deterministic firmware encryption key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52331",
        "datePublished": "2025-01-23T16:37:31.290Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-10-02T14:10:10.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52330 (GCVE-0-2024-52330)

    Vulnerability from nvd – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmowers and vacuums do not properly validate TLS certificates
    Summary
    ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS DEEBOT X5 PRO PLUS Unaffected: 1.38.0
    Affected: 0 , < 1.38.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X5 PRO Unaffected: 1.70.0
    Affected: 0 , < 1.70.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2S Affected: 0 , < 1.49.0 (custom)
    Unaffected: 1.49.0
    Create a notification for this product.
    ECOVACS DEEBOT X2 OMNI Unaffected: 1.76.6
    Affected: 0 , < 1.76.6 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1 TURBO Affected: 0 , < 2.4.41 (custom)
    Unaffected: 2.4.41
    Create a notification for this product.
    ECOVACS DEEBOT X1 Unaffected: 1.7.3
    Affected: 0 , < 1.7.3 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1S PRO Unaffected: 2.5.31
    Affected: 0 , < 2.5.31 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1e OMNI Unaffected: 2.4.42
    Affected: 0 , < 2.4.42 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 PLUS Unaffected: 1.7.5
    Affected: 0 , < 1.7.5 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 OMNI Affected: 0 , < 1.9.0 (custom)
    Unaffected: 1.9.0
    Create a notification for this product.
    ECOVACS DEEBOT X5 PRO ULTRA Affected: 0 , < 1.17.0 (custom)
    Unaffected: 1.17.0
    Create a notification for this product.
    ECOVACS Mate X Unaffected: 1.44.18
    Affected: 0 , < 1.44.18 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2 PRO Unaffected: 1.76.6
    Affected: 0 , < 1.76.6 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2 COMBO Affected: 0 , < 1.81.10 (custom)
    Unaffected: 1.81.10
    Create a notification for this product.
    ECOVACS DEEBOT X1 OMNI Affected: 0 , < 2.4.41 (custom)
    Unaffected: 2.4.41
    Create a notification for this product.
    ECOVACS DEEBOT X1 PRO OMNI Unaffected: 2.4.41
    Affected: 0 , < 2.4.41 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1 PLUS Unaffected: 1.7.3
    Affected: 0 , < 1.7.3 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1S PRO PLUS Unaffected: 1.23.0
    Affected: 0 , < 1.23.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 TURBO Unaffected: 1.10.0
    Affected: 0 , < 1.10.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 Affected: 0 , < 1.7.5 (custom)
    Unaffected: 1.7.5
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52330",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:31.855219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.969Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.38.0"
                },
                {
                  "lessThan": "1.38.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.70.0"
                },
                {
                  "lessThan": "1.70.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2S",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.49.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.49.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2  OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.76.6"
                },
                {
                  "lessThan": "1.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 TURBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.3"
                },
                {
                  "lessThan": "1.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1S PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.5.31"
                },
                {
                  "lessThan": "2.5.31",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1e OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.4.42"
                },
                {
                  "lessThan": "2.4.42",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.5"
                },
                {
                  "lessThan": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.9.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO ULTRA",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.17.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.17.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "Mate X",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.44.18"
                },
                {
                  "lessThan": "1.44.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2 PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.76.6"
                },
                {
                  "lessThan": "1.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2 COMBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.81.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.81.10"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 PRO OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                },
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.3"
                },
                {
                  "lessThan": "1.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1S PRO PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.23.0"
                },
                {
                  "lessThan": "1.23.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 TURBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.10.0"
                },
                {
                  "lessThan": "1.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.7.5"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:36:50.128Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52330",
        "datePublished": "2025-01-23T16:36:50.128Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-02-12T20:41:28.969Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52328 (GCVE-0-2024-52328)

    Vulnerability from nvd – Published: 2025-01-23 16:35 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmowers and vacuums insecurely store audio warning files
    Summary
    ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52328",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:59.738808Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:29.266Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 1.8,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:35:23.197Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums insecurely store audio warning files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52328",
        "datePublished": "2025-01-23T16:35:23.197Z",
        "dateReserved": "2024-11-08T01:06:02.404Z",
        "dateUpdated": "2025-02-12T20:41:29.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12079 (GCVE-0-2024-12079)

    Vulnerability from nvd – Published: 2025-01-23 16:39 – Updated: 2025-02-12 17:12
    VLAI
    Title
    ECOVACS lawnmowers cleartext storage of anti-theft PIN
    Summary
    ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12079",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:54:04.223721Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T17:12:21.831Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:39:06.903Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            }
          ],
          "title": "ECOVACS lawnmowers cleartext storage of anti-theft PIN"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-12079",
        "datePublished": "2025-01-23T16:39:06.903Z",
        "dateReserved": "2024-12-03T00:26:02.380Z",
        "dateUpdated": "2025-02-12T17:12:21.831Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12078 (GCVE-0-2024-12078)

    Vulnerability from nvd – Published: 2025-01-23 16:38 – Updated: 2025-02-12 17:11
    VLAI
    Title
    ECOVACS lawnmowers and vacuums static BLE GATT encryption key
    Summary
    ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    Impacted products
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12078",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:54:13.718772Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T17:11:14.933Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:38:48.017Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://youtu.be/_wUsM0Mlenc?t=2041"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums static BLE GATT encryption key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-12078",
        "datePublished": "2025-01-23T16:38:48.017Z",
        "dateReserved": "2024-12-02T23:55:12.974Z",
        "dateUpdated": "2025-02-12T17:11:14.933Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-11147 (GCVE-0-2024-11147)

    Vulnerability from nvd – Published: 2025-01-23 16:37 – Updated: 2025-02-12 17:07
    VLAI
    Title
    ECOVACS lawnmowers and vacuums deterministic root password
    Summary
    ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Impacted products
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11147",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:54:55.367221Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T17:07:28.749Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:37:54.479Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://builder.dontvacuum.me/ecopassword.php"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums deterministic root password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-11147",
        "datePublished": "2025-01-23T16:37:54.479Z",
        "dateReserved": "2024-11-12T15:39:13.966Z",
        "dateUpdated": "2025-02-12T17:07:28.749Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12079 (GCVE-0-2024-12079)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:39 – Updated: 2025-02-12 17:12
    VLAI
    Title
    ECOVACS lawnmowers cleartext storage of anti-theft PIN
    Summary
    ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-312 - Cleartext Storage of Sensitive Information
    Assigner
    Impacted products
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12079",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:54:04.223721Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T17:12:21.831Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "LOCAL",
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "LOW",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-312",
                  "description": "CWE-312 Cleartext Storage of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:39:06.903Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            }
          ],
          "title": "ECOVACS lawnmowers cleartext storage of anti-theft PIN"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-12079",
        "datePublished": "2025-01-23T16:39:06.903Z",
        "dateReserved": "2024-12-03T00:26:02.380Z",
        "dateUpdated": "2025-02-12T17:12:21.831Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-12078 (GCVE-0-2024-12078)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:38 – Updated: 2025-02-12 17:11
    VLAI
    Title
    ECOVACS lawnmowers and vacuums static BLE GATT encryption key
    Summary
    ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    Impacted products
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-12078",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:54:13.718772Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T17:11:14.933Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "ADJACENT",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW"
              }
            },
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321 Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:38:48.017Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://youtu.be/_wUsM0Mlenc?t=2041"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums static BLE GATT encryption key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-12078",
        "datePublished": "2025-01-23T16:38:48.017Z",
        "dateReserved": "2024-12-02T23:55:12.974Z",
        "dateUpdated": "2025-02-12T17:11:14.933Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-11147 (GCVE-0-2024-11147)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:37 – Updated: 2025-02-12 17:07
    VLAI
    Title
    ECOVACS lawnmowers and vacuums deterministic root password
    Summary
    ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    Impacted products
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-11147",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:54:55.367221Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T17:07:28.749Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:37:54.479Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://builder.dontvacuum.me/ecopassword.php"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums deterministic root password"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-11147",
        "datePublished": "2025-01-23T16:37:54.479Z",
        "dateReserved": "2024-11-12T15:39:13.966Z",
        "dateUpdated": "2025-02-12T17:07:28.749Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52331 (GCVE-0-2024-52331)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:37 – Updated: 2025-10-02 14:10
    VLAI
    Title
    ECOVACS lawnmowers and vacuums deterministic firmware encryption key
    Summary
    ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-494 - Download of Code Without Integrity Check
    • CWE-1391 - Use of Weak Credentials
    • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
    Assigner
    Impacted products
    Date Public
    2025-01-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52331",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:55:20.382490Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.822Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2025-01-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "NETWORK",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "PASSIVE",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "HIGH",
                "vulnConfidentialityImpact": "HIGH",
                "vulnIntegrityImpact": "HIGH"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-494",
                  "description": "CWE-494 Download of Code Without Integrity Check",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-1391",
                  "description": "CWE-1391 Use of Weak Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "CWE-327 Use of a Broken or Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-10-02T14:10:10.821Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums deterministic firmware encryption key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52331",
        "datePublished": "2025-01-23T16:37:31.290Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-10-02T14:10:10.821Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52330 (GCVE-0-2024-52330)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmowers and vacuums do not properly validate TLS certificates
    Summary
    ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS DEEBOT X5 PRO PLUS Unaffected: 1.38.0
    Affected: 0 , < 1.38.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X5 PRO Unaffected: 1.70.0
    Affected: 0 , < 1.70.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2S Affected: 0 , < 1.49.0 (custom)
    Unaffected: 1.49.0
    Create a notification for this product.
    ECOVACS DEEBOT X2 OMNI Unaffected: 1.76.6
    Affected: 0 , < 1.76.6 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1 TURBO Affected: 0 , < 2.4.41 (custom)
    Unaffected: 2.4.41
    Create a notification for this product.
    ECOVACS DEEBOT X1 Unaffected: 1.7.3
    Affected: 0 , < 1.7.3 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1S PRO Unaffected: 2.5.31
    Affected: 0 , < 2.5.31 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1e OMNI Unaffected: 2.4.42
    Affected: 0 , < 2.4.42 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 PLUS Unaffected: 1.7.5
    Affected: 0 , < 1.7.5 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 OMNI Affected: 0 , < 1.9.0 (custom)
    Unaffected: 1.9.0
    Create a notification for this product.
    ECOVACS DEEBOT X5 PRO ULTRA Affected: 0 , < 1.17.0 (custom)
    Unaffected: 1.17.0
    Create a notification for this product.
    ECOVACS Mate X Unaffected: 1.44.18
    Affected: 0 , < 1.44.18 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2 PRO Unaffected: 1.76.6
    Affected: 0 , < 1.76.6 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X2 COMBO Affected: 0 , < 1.81.10 (custom)
    Unaffected: 1.81.10
    Create a notification for this product.
    ECOVACS DEEBOT X1 OMNI Affected: 0 , < 2.4.41 (custom)
    Unaffected: 2.4.41
    Create a notification for this product.
    ECOVACS DEEBOT X1 PRO OMNI Unaffected: 2.4.41
    Affected: 0 , < 2.4.41 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1 PLUS Unaffected: 1.7.3
    Affected: 0 , < 1.7.3 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT X1S PRO PLUS Unaffected: 1.23.0
    Affected: 0 , < 1.23.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 TURBO Unaffected: 1.10.0
    Affected: 0 , < 1.10.0 (custom)
    Create a notification for this product.
    ECOVACS DEEBOT T10 Affected: 0 , < 1.7.5 (custom)
    Unaffected: 1.7.5
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52330",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:31.855219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.969Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.38.0"
                },
                {
                  "lessThan": "1.38.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.70.0"
                },
                {
                  "lessThan": "1.70.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2S",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.49.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.49.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2  OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.76.6"
                },
                {
                  "lessThan": "1.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 TURBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.3"
                },
                {
                  "lessThan": "1.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1S PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.5.31"
                },
                {
                  "lessThan": "2.5.31",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1e OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.4.42"
                },
                {
                  "lessThan": "2.4.42",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.5"
                },
                {
                  "lessThan": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.9.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.9.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X5 PRO ULTRA",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.17.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.17.0"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "Mate X",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.44.18"
                },
                {
                  "lessThan": "1.44.18",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2 PRO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.76.6"
                },
                {
                  "lessThan": "1.76.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X2 COMBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.81.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.81.10"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 PRO OMNI",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "2.4.41"
                },
                {
                  "lessThan": "2.4.41",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1 PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.7.3"
                },
                {
                  "lessThan": "1.7.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT X1S PRO PLUS",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.23.0"
                },
                {
                  "lessThan": "1.23.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10 TURBO",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "1.10.0"
                },
                {
                  "lessThan": "1.10.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "DEEBOT T10",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "1.7.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "1.7.5"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            },
            {
              "cvssV4_0": {
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:36:50.128Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52330",
        "datePublished": "2025-01-23T16:36:50.128Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-02-12T20:41:28.969Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52328 (GCVE-0-2024-52328)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:35 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmowers and vacuums insecurely store audio warning files
    Summary
    ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-732 - Incorrect Permission Assignment for Critical Resource
    Assigner
    Impacted products
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52328",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:59.738808Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:29.266Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "Unspecified robots",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "affected",
                  "version": "*"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 1.8,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-732",
                  "description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:35:23.197Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            }
          ],
          "title": "ECOVACS lawnmowers and vacuums insecurely store audio warning files"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52328",
        "datePublished": "2025-01-23T16:35:23.197Z",
        "dateReserved": "2024-11-08T01:06:02.404Z",
        "dateUpdated": "2025-02-12T20:41:29.266Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }