Command Injection Vulnerability in ECOVACS Robot Lawn Mowers and Vacuums
CVE-2024-52325

5.8MEDIUM

Key Information:

Vendor: Ecovacs
Status: Goat G1; Goat G1-800; Deebot X2s; Deebot X5 Pro
Vendor: CVE Published:; 23 January 2025

What is CVE-2024-52325?

ECOVACS robot lawnmowers and vacuums are exposed to a command injection vulnerability that allows attackers to exploit the SetNetPin() function over an unauthenticated BLE connection. This could enable unauthorized commands to be executed, compromising the security and operational integrity of the devices. Users of these products should be aware of the risks associated with this vulnerability and take appropriate measures to secure their devices.

Affected Version(s)

DEEBOT T30 OMNI 0 < 1.93.0

DEEBOT T30S 0 < 1.95.0

DEEBOT X2 OMNI 0 < 1.76.6

References

https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hack...

https://youtu.be/_wUsM0Mlenc?t=2041

https://www.ecovacs.com/global/userhelp/dsa20241130001

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 23, 2025
Vulnerability Reserved
Nov 8, 2024

CVE-2024-52325 Data

JSON

Ecovacs

What is CVE-2024-52325?

Affected Version(s)

References

CVSS V4

Timeline