CVE-2024-52328
LOWECOVACS Robot Lawnmowers and Vacuums - Unprotected Audio File Tampering in Camera Warning System
Title source: llmDescription
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
Exploit, Third Party Advisory
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf
Scores
CVSS v3
2.3
EPSS
0.0020
EPSS Percentile
9.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-732
Status
published
Products (14)
ecovacs/airbot_andy_firmware
ecovacs/airbot_ava_firmware
ecovacs/airbot_z1_firmware
ecovacs/deebot_900_firmware
ecovacs/deebot_n10_firmware
ecovacs/deebot_n8_firmware
ecovacs/deebot_n9_firmware
ecovacs/deebot_t10_firmware
ecovacs/deebot_t20_firmware
ecovacs/deebot_t8_firmware
... and 4 more
Published
Jan 23, 2025
Tracked Since
Feb 18, 2026