CVE-2024-52325
CRITICALECOVACS Robot Lawnmowers and Vacuums - Unauthenticated Command Injection via SetNetPin()
Title source: llmDescription
ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
References (4)
Core 4
Core References
Exploit, Third Party Advisory
https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf
Vendor Advisory
https://www.ecovacs.com/global/userhelp/dsa20241119
Vendor Advisory
https://www.ecovacs.com/global/userhelp/dsa20241130001
Scores
CVSS v3
9.6
EPSS
0.0298
EPSS Percentile
85.5%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (12)
ecovacs/deebot_t30_omni_firmware
< 1.93.0
ecovacs/deebot_t30s_firmware
< 1.95.0
ecovacs/deebot_x2_combo_firmware
< 1.81.10
ecovacs/deebot_x2_omni_firmware
< 1.76.6
ecovacs/deebot_x2s_firmware
< 1.49.0
ecovacs/deebot_x5_pro_firmware
< 1.70.0
ecovacs/deebot_x5_pro_plus_firmware
< 1.38.0
ecovacs/deebot_x5_pro_ultra_firmware
< 1.17.0
ecovacs/goat_g1-2000_firmware
< 1.36.187
ecovacs/goat_g1-800_firmware
< 1.36.187
... and 2 more
Published
Jan 23, 2025
Tracked Since
Feb 18, 2026