Search

Find a vulnerability

Search criteria

    11 vulnerabilities by ecovacs

    VAR-202501-2794

    Vulnerability from variot - Updated: 2025-10-03 23:34

    ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot. DEEBOT 900 firmware, DEEBOT N8 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains vulnerabilities related to the insufficient integrity verification of downloaded code and the use of weak authentication credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202501-2794",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "deebot t10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot andy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot andy",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52331"
          }
        ]
      },
      "cve": "CVE-2024-52331",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 1.6,
                "id": "CVE-2024-52331",
                "impactScore": 5.9,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "High",
                "attackVector": "Network",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 7.5,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2024-028231",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "Required",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "id": "CVE-2024-52331",
                "trust": 1.0,
                "value": "High"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2024-028231",
                "trust": 0.8,
                "value": "High"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52331"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot. DEEBOT 900 firmware, DEEBOT N8 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains vulnerabilities related to the insufficient integrity verification of downloaded code and the use of weak authentication credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2024-52331"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2024-52331",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52331"
          }
        ]
      },
      "id": "VAR-202501-2794",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2025-10-03T23:34:16.906000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-1391",
            "trust": 1.0
          },
          {
            "problemtype": "CWE-494",
            "trust": 1.0
          },
          {
            "problemtype": "CWE-327",
            "trust": 1.0
          },
          {
            "problemtype": "Using weak credentials (CWE-1391) [ others ]",
            "trust": 0.8
          },
          {
            "problemtype": " Incomplete integrity verification of downloaded code (CWE-494) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52331"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
          },
          {
            "trust": 1.8,
            "url": "https://dontvacuum.me/talks/hitcon2024/hitcon-cmt-2024_ecovacs.html"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2024-52331"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52331"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52331"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          },
          {
            "date": "2025-01-23T17:15:14.563000",
            "db": "NVD",
            "id": "CVE-2024-52331"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T07:49:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          },
          {
            "date": "2025-10-02T15:15:52.810000",
            "db": "NVD",
            "id": "CVE-2024-52331"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ECOVACS\u00a0 Vulnerability related to insufficient integrity verification of downloaded code in products",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028231"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202501-1846

    Vulnerability from variot - Updated: 2025-10-02 23:38

    ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root. DEEBOT 900 firmware, DEEBOT N8 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains a vulnerability related to the use of hardcoded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202501-1846",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "airbot andy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot andy",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-11147"
          }
        ]
      },
      "cve": "CVE-2024-11147",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "PHYSICAL",
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "availabilityImpact": "HIGH",
                "baseScore": 7.6,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "exploitabilityScore": 0.9,
                "id": "CVE-2024-11147",
                "impactScore": 6.0,
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Physical",
                "author": "OTHER",
                "availabilityImpact": "High",
                "baseScore": 7.6,
                "baseSeverity": "High",
                "confidentialityImpact": "High",
                "exploitabilityScore": null,
                "id": "JVNDB-2024-028187",
                "impactScore": null,
                "integrityImpact": "High",
                "privilegesRequired": "None",
                "scope": "Changed",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "id": "CVE-2024-11147",
                "trust": 1.0,
                "value": "High"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2024-028187",
                "trust": 0.8,
                "value": "High"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-11147"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root. DEEBOT 900 firmware, DEEBOT N8 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains a vulnerability related to the use of hardcoded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2024-11147"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2024-11147",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-11147"
          }
        ]
      },
      "id": "VAR-202501-1846",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2025-10-02T23:38:53.792000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-798",
            "trust": 1.0
          },
          {
            "problemtype": "Use hard-coded credentials (CWE-798) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-11147"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://builder.dontvacuum.me/ecopassword.php"
          },
          {
            "trust": 1.8,
            "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
          },
          {
            "trust": 1.8,
            "url": "https://dontvacuum.me/talks/hitcon2024/hitcon-cmt-2024_ecovacs.pdf"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2024-11147"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-11147"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-11147"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          },
          {
            "date": "2025-01-23T17:15:12.860000",
            "db": "NVD",
            "id": "CVE-2024-11147"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T01:47:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          },
          {
            "date": "2025-09-23T17:44:13.273000",
            "db": "NVD",
            "id": "CVE-2024-11147"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ECOVACS\u00a0 Product use of hardcoded credentials vulnerability",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028187"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202501-3202

    Vulnerability from variot - Updated: 2025-10-02 23:37

    ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on. DEEBOT N8 firmware, DEEBOT 900 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains a vulnerability in improper permission assignment for critical resources.Information may be tampered with

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202501-3202",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "airbot andy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot andy",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52328"
          }
        ]
      },
      "cve": "CVE-2024-52328",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "availabilityImpact": "NONE",
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "NONE",
                "exploitabilityScore": 0.8,
                "id": "CVE-2024-52328",
                "impactScore": 1.4,
                "integrityImpact": "LOW",
                "privilegesRequired": "HIGH",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Local",
                "author": "OTHER",
                "availabilityImpact": "None",
                "baseScore": 2.3,
                "baseSeverity": "Low",
                "confidentialityImpact": "None",
                "exploitabilityScore": null,
                "id": "JVNDB-2024-028232",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "High",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "id": "CVE-2024-52328",
                "trust": 1.0,
                "value": "Low"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2024-028232",
                "trust": 0.8,
                "value": "Low"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52328"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on. DEEBOT N8 firmware, DEEBOT 900 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains a vulnerability in improper permission assignment for critical resources.Information may be tampered with",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2024-52328"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2024-52328",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52328"
          }
        ]
      },
      "id": "VAR-202501-3202",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2025-10-02T23:37:01.563000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-732",
            "trust": 1.0
          },
          {
            "problemtype": "Improper permission assignment for critical resources (CWE-732) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52328"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
          },
          {
            "trust": 1.8,
            "url": "https://dontvacuum.me/talks/hitcon2024/hitcon-cmt-2024_ecovacs.pdf"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2024-52328"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52328"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-52328"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          },
          {
            "date": "2025-01-23T17:15:14.133000",
            "db": "NVD",
            "id": "CVE-2024-52328"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T07:49:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          },
          {
            "date": "2025-09-23T17:44:56.110000",
            "db": "NVD",
            "id": "CVE-2024-52328"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ECOVACS\u00a0 Vulnerability in improper permission assignment for critical resources in the product",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028232"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202501-3454

    Vulnerability from variot - Updated: 2025-10-02 23:37

    ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key. DEEBOT N10 firmware, DEEBOT T10 firmware, DEEBOT X1 firmware etc. ECOVACS The product contains a vulnerability related to the use of hardcoded encryption keys.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202501-3454",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "airbot andy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot andy",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12078"
          }
        ]
      },
      "cve": "CVE-2024-12078",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "ADJACENT",
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "availabilityImpact": "LOW",
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 2.8,
                "id": "CVE-2024-12078",
                "impactScore": 3.4,
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Adjacent Network",
                "author": "OTHER",
                "availabilityImpact": "Low",
                "baseScore": 6.3,
                "baseSeverity": "Medium",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "JVNDB-2024-028217",
                "impactScore": null,
                "integrityImpact": "Low",
                "privilegesRequired": "None",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "id": "CVE-2024-12078",
                "trust": 1.0,
                "value": "Medium"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2024-028217",
                "trust": 0.8,
                "value": "Medium"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12078"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key. DEEBOT N10 firmware, DEEBOT T10 firmware, DEEBOT X1 firmware etc. ECOVACS The product contains a vulnerability related to the use of hardcoded encryption keys.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2024-12078"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2024-12078",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12078"
          }
        ]
      },
      "id": "VAR-202501-3454",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2025-10-02T23:37:01.522000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-321",
            "trust": 1.0
          },
          {
            "problemtype": "Using hardcoded encryption keys (CWE-321) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12078"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
          },
          {
            "trust": 1.8,
            "url": "https://youtu.be/_wusm0mlenc?t=2041"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2024-12078"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12078"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12078"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          },
          {
            "date": "2025-01-23T17:15:13.020000",
            "db": "NVD",
            "id": "CVE-2024-12078"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T07:37:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          },
          {
            "date": "2025-09-23T17:45:19.900000",
            "db": "NVD",
            "id": "CVE-2024-12078"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ECOVACS\u00a0 Vulnerabilities related to the use of hardcoded encryption keys in products",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028217"
          }
        ],
        "trust": 0.8
      }
    }

    VAR-202501-2625

    Vulnerability from variot - Updated: 2025-10-02 23:18

    ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism. DEEBOT 900 firmware, DEEBOT N8 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains a vulnerability related to plaintext storage of sensitive information.Information may be obtained

    Show details on source website

    {
      "@context": {
        "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
        "affected_products": {
          "@id": "https://www.variotdbs.pl/ref/affected_products"
        },
        "configurations": {
          "@id": "https://www.variotdbs.pl/ref/configurations"
        },
        "credits": {
          "@id": "https://www.variotdbs.pl/ref/credits"
        },
        "cvss": {
          "@id": "https://www.variotdbs.pl/ref/cvss/"
        },
        "description": {
          "@id": "https://www.variotdbs.pl/ref/description/"
        },
        "exploit_availability": {
          "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
        },
        "external_ids": {
          "@id": "https://www.variotdbs.pl/ref/external_ids/"
        },
        "iot": {
          "@id": "https://www.variotdbs.pl/ref/iot/"
        },
        "iot_taxonomy": {
          "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
        },
        "patch": {
          "@id": "https://www.variotdbs.pl/ref/patch/"
        },
        "problemtype_data": {
          "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
        },
        "references": {
          "@id": "https://www.variotdbs.pl/ref/references/"
        },
        "sources": {
          "@id": "https://www.variotdbs.pl/ref/sources/"
        },
        "sources_release_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
        },
        "sources_update_date": {
          "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
        },
        "threat_type": {
          "@id": "https://www.variotdbs.pl/ref/threat_type/"
        },
        "title": {
          "@id": "https://www.variotdbs.pl/ref/title/"
        },
        "type": {
          "@id": "https://www.variotdbs.pl/ref/type/"
        }
      },
      "@id": "https://www.variotdbs.pl/vuln/VAR-202501-2625",
      "affected_products": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "model": "airbot andy",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": "eq",
            "trust": 1.0,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot ava",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "goat g1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot andy",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot t20",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n9",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot 900",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n8",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot x2",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "airbot z1",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          },
          {
            "model": "deebot n10",
            "scope": null,
            "trust": 0.8,
            "vendor": "ecovacs",
            "version": null
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12079"
          }
        ]
      },
      "cve": "CVE-2024-12079",
      "cvss": {
        "@context": {
          "cvssV2": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
          },
          "cvssV3": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
          },
          "severity": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/cvss/severity#"
            },
            "@id": "https://www.variotdbs.pl/ref/cvss/severity"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            },
            "@id": "https://www.variotdbs.pl/ref/sources"
          }
        },
        "data": [
          {
            "cvssV2": [],
            "cvssV3": [
              {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "availabilityImpact": "NONE",
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "confidentialityImpact": "LOW",
                "exploitabilityScore": 1.8,
                "id": "CVE-2024-12079",
                "impactScore": 1.4,
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "trust": 1.0,
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.1"
              },
              {
                "attackComplexity": "Low",
                "attackVector": "Local",
                "author": "OTHER",
                "availabilityImpact": "None",
                "baseScore": 3.3,
                "baseSeverity": "Low",
                "confidentialityImpact": "Low",
                "exploitabilityScore": null,
                "id": "JVNDB-2024-028188",
                "impactScore": null,
                "integrityImpact": "None",
                "privilegesRequired": "Low",
                "scope": "Unchanged",
                "trust": 0.8,
                "userInteraction": "None",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
                "version": "3.0"
              }
            ],
            "severity": [
              {
                "author": "9119a7d8-5eab-497f-8521-727c672e3725",
                "id": "CVE-2024-12079",
                "trust": 1.0,
                "value": "Medium"
              },
              {
                "author": "OTHER",
                "id": "JVNDB-2024-028188",
                "trust": 0.8,
                "value": "Low"
              }
            ]
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12079"
          }
        ]
      },
      "description": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/description#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism. DEEBOT 900 firmware, DEEBOT N8 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains a vulnerability related to plaintext storage of sensitive information.Information may be obtained",
        "sources": [
          {
            "db": "NVD",
            "id": "CVE-2024-12079"
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          }
        ],
        "trust": 1.62
      },
      "external_ids": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "db": "NVD",
            "id": "CVE-2024-12079",
            "trust": 2.6
          },
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12079"
          }
        ]
      },
      "id": "VAR-202501-2625",
      "iot": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/iot#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": true,
        "sources": [
          {
            "db": "VARIoT devices database",
            "id": null
          }
        ],
        "trust": 0.5
      },
      "last_update_date": "2025-10-02T23:18:01.562000Z",
      "problemtype_data": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "problemtype": "CWE-312",
            "trust": 1.0
          },
          {
            "problemtype": "Plaintext storage of important information (CWE-312) [ others ]",
            "trust": 0.8
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12079"
          }
        ]
      },
      "references": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/references#",
          "data": {
            "@container": "@list"
          },
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": [
          {
            "trust": 1.8,
            "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
          },
          {
            "trust": 0.8,
            "url": "https://nvd.nist.gov/vuln/detail/cve-2024-12079"
          }
        ],
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12079"
          }
        ]
      },
      "sources": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          },
          {
            "db": "NVD",
            "id": "CVE-2024-12079"
          }
        ]
      },
      "sources_release_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T00:00:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          },
          {
            "date": "2025-01-23T17:15:13.187000",
            "db": "NVD",
            "id": "CVE-2024-12079"
          }
        ]
      },
      "sources_update_date": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
          "data": {
            "@container": "@list"
          }
        },
        "data": [
          {
            "date": "2025-09-30T01:51:00",
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          },
          {
            "date": "2025-09-23T17:45:43.313000",
            "db": "NVD",
            "id": "CVE-2024-12079"
          }
        ]
      },
      "title": {
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/title#",
          "sources": {
            "@container": "@list",
            "@context": {
              "@vocab": "https://www.variotdbs.pl/ref/sources#"
            }
          }
        },
        "data": "plural \u00a0ECOVACS\u00a0 Vulnerability in plaintext storage of critical information in products",
        "sources": [
          {
            "db": "JVNDB",
            "id": "JVNDB-2024-028188"
          }
        ],
        "trust": 0.8
      }
    }

    CVE-2025-2394 (GCVE-0-2025-2394)

    Vulnerability from nvd – Published: 2025-05-23 00:03 – Updated: 2025-09-30 05:50
    VLAI
    Title
    Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications
    Summary
    Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    TML
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-23T13:16:37.932318Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-23T13:16:47.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android",
                "iOS"
              ],
              "product": "Ecovacs Mobile and Android Application",
              "vendor": "Ecovacs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.3.0",
                  "versionType": "iOS, Android"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
                }
              ],
              "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T05:50:10.557Z",
            "orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
            "shortName": "TML"
          },
          "references": [
            {
              "url": "https://www.themissinglink.com.au/security-advisories/cve-2025-2394"
            },
            {
              "url": "https://www.ecovacs.com/global/userhelp/dsa20250507001"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
        "assignerShortName": "TML",
        "cveId": "CVE-2025-2394",
        "datePublished": "2025-05-23T00:03:32.603Z",
        "dateReserved": "2025-03-17T03:57:22.902Z",
        "dateUpdated": "2025-09-30T05:50:10.557Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52329 (GCVE-0-2024-52329)

    Vulnerability from nvd – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS HOME mobile app plugins do not properly validate TLS certificates
    Summary
    ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS ECOVACS HOME Unaffected: 3.0.0
    Affected: 0 , < 3.0.0 (custom)
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52329",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:47.220852Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:29.110Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ECOVACS HOME",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.0.0"
                },
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:36:06.533Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
            }
          ],
          "title": "ECOVACS HOME mobile app plugins do not properly validate TLS certificates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52329",
        "datePublished": "2025-01-23T16:36:06.533Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-02-12T20:41:29.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52327 (GCVE-0-2024-52327)

    Vulnerability from nvd – Published: 2025-01-23 16:39 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmower and vacuum cloud service live video PIN bypass
    Summary
    The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-603 - Use of Client-Side Authentication
    • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS ECOVACS HOME Affected: 0 , < 3.0.2 (custom)
    Unaffected: 3.0.2
    Create a notification for this product.
    ECOVACS cloud service Affected: 0 , < 2024-12-17 (custom)
    Unaffected: 2024-12-17
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52327",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:53:52.437051Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.703Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ECOVACS HOME",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "3.0.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "3.0.2"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "cloud service",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2024-12-17",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2024-12-17"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-603",
                  "description": "CWE-603 Use of Client-Side Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-807",
                  "description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:39:27.516Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
            }
          ],
          "title": "ECOVACS lawnmower and vacuum cloud service live video PIN bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52327",
        "datePublished": "2025-01-23T16:39:27.516Z",
        "dateReserved": "2024-11-08T01:06:02.404Z",
        "dateUpdated": "2025-02-12T20:41:28.703Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2394 (GCVE-0-2025-2394)

    Vulnerability from cvelistv5 – Published: 2025-05-23 00:03 – Updated: 2025-09-30 05:50
    VLAI
    Title
    Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications
    Summary
    Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    TML
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-23T13:16:37.932318Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-23T13:16:47.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android",
                "iOS"
              ],
              "product": "Ecovacs Mobile and Android Application",
              "vendor": "Ecovacs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.3.0",
                  "versionType": "iOS, Android"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
                }
              ],
              "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T05:50:10.557Z",
            "orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
            "shortName": "TML"
          },
          "references": [
            {
              "url": "https://www.themissinglink.com.au/security-advisories/cve-2025-2394"
            },
            {
              "url": "https://www.ecovacs.com/global/userhelp/dsa20250507001"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
        "assignerShortName": "TML",
        "cveId": "CVE-2025-2394",
        "datePublished": "2025-05-23T00:03:32.603Z",
        "dateReserved": "2025-03-17T03:57:22.902Z",
        "dateUpdated": "2025-09-30T05:50:10.557Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52327 (GCVE-0-2024-52327)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:39 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmower and vacuum cloud service live video PIN bypass
    Summary
    The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-603 - Use of Client-Side Authentication
    • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS ECOVACS HOME Affected: 0 , < 3.0.2 (custom)
    Unaffected: 3.0.2
    Create a notification for this product.
    ECOVACS cloud service Affected: 0 , < 2024-12-17 (custom)
    Unaffected: 2024-12-17
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52327",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:53:52.437051Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.703Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ECOVACS HOME",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "3.0.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "3.0.2"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "cloud service",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2024-12-17",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2024-12-17"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-603",
                  "description": "CWE-603 Use of Client-Side Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-807",
                  "description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:39:27.516Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
            }
          ],
          "title": "ECOVACS lawnmower and vacuum cloud service live video PIN bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52327",
        "datePublished": "2025-01-23T16:39:27.516Z",
        "dateReserved": "2024-11-08T01:06:02.404Z",
        "dateUpdated": "2025-02-12T20:41:28.703Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52329 (GCVE-0-2024-52329)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS HOME mobile app plugins do not properly validate TLS certificates
    Summary
    ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS ECOVACS HOME Unaffected: 3.0.0
    Affected: 0 , < 3.0.0 (custom)
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52329",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:47.220852Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:29.110Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ECOVACS HOME",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.0.0"
                },
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:36:06.533Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
            }
          ],
          "title": "ECOVACS HOME mobile app plugins do not properly validate TLS certificates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52329",
        "datePublished": "2025-01-23T16:36:06.533Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-02-12T20:41:29.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }