Command Injection Vulnerability in ECOVACS Robot Lawn Mowers and Vacuums
CVE-2024-52325

5.8MEDIUM

Key Information:

Vendor: Ecovacs
Status: Goat G1; Goat G1-800; Deebot X2s; Deebot X5 Pro
Vendor: CVE Published:; 23 January 2025

What is CVE-2024-52325?

ECOVACS robot lawnmowers and vacuums are exposed to a command injection vulnerability that allows attackers to exploit the SetNetPin() function over an unauthenticated BLE connection. This could enable unauthorized commands to be executed, compromising the security and operational integrity of the devices. Users of these products should be aware of the risks associated with this vulnerability and take appropriate measures to secure their devices.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

DEEBOT T30 OMNI 0 < 1.93.0

DEEBOT T30S 0 < 1.95.0

DEEBOT X2 OMNI 0 < 1.76.6

References

https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hack...

https://youtu.be/_wUsM0Mlenc?t=2041

https://www.ecovacs.com/global/userhelp/dsa20241130001

CVSS V4

Score:

5.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 23, 2025
Vulnerability Reserved
Nov 8, 2024

JSON

Ecovacs

What is CVE-2024-52325?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V4

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.