CVE-2024-52330
HIGHECOVACS Deebot and Lawnmower Firmware - Unauthenticated TLS Certificate Validation Bypass
Title source: llmDescription
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
Exploit, Third Party Advisory
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf
Vendor Advisory
https://www.ecovacs.com/global/userhelp/dsa20241217001
Scores
CVSS v3
7.4
EPSS
0.0032
EPSS Percentile
23.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-295
Status
published
Products (20)
ecovacs/deebot_t10_firmware
< 1.7.5
ecovacs/deebot_t10_omni_firmware
< 1.9.0
ecovacs/deebot_t10_plus_firmware
< 1.7.5
ecovacs/deebot_t10_turbo_firmware
< 1.10.0
ecovacs/deebot_x1_firmware
< 1.7.3
ecovacs/deebot_x1_omni_firmware
< 2.4.41
ecovacs/deebot_x1_plus_firmware
< 1.7.3
ecovacs/deebot_x1_pro_omni_firmware
< 2.4.41
ecovacs/deebot_x1_turbo_firmware
< 2.4.41
ecovacs/deebot_x1e_omni_firmware
< 2.4.42
... and 10 more
Published
Jan 23, 2025
Tracked Since
Feb 18, 2026