CVE-2024-52331

HIGH

ECOVACS - Code Injection

Title source: llm

Description

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

References (2)

[Exploit, Third Party Advisory] https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf

[Exploit, Third Party Advisory] https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 24.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-327 CWE-1391 CWE-494

Status published

Products (14)

ecovacs/airbot_andy_firmware

ecovacs/airbot_ava_firmware

ecovacs/airbot_z1_firmware

ecovacs/deebot_900_firmware

ecovacs/deebot_n10_firmware

ecovacs/deebot_n8_firmware

ecovacs/deebot_n9_firmware

ecovacs/deebot_t10_firmware

ecovacs/deebot_t20_firmware

ecovacs/deebot_t8_firmware

... and 4 more

Published Jan 23, 2025

Tracked Since Feb 18, 2026