CVE-2024-52331
HIGHECOVACS Robot Lawnmowers and Vacuums - Arbitrary Firmware Installation via Deterministic Symmetric Key
Title source: llmDescription
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
Exploit, Third Party Advisory
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html
Scores
CVSS v3
7.5
EPSS
0.0020
EPSS Percentile
9.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-327
CWE-1391
CWE-494
Status
published
Products (14)
ecovacs/airbot_andy_firmware
ecovacs/airbot_ava_firmware
ecovacs/airbot_z1_firmware
ecovacs/deebot_900_firmware
ecovacs/deebot_n10_firmware
ecovacs/deebot_n8_firmware
ecovacs/deebot_n9_firmware
ecovacs/deebot_t10_firmware
ecovacs/deebot_t20_firmware
ecovacs/deebot_t8_firmware
... and 4 more
Published
Jan 23, 2025
Tracked Since
Feb 18, 2026