TLS Certificate Validation Flaw in ECOVACS Lawn Mowers and Vacuums
CVE-2024-52330

9.5CRITICAL

Key Information:

Vendor: Ecovacs
Status: Deebot X5 Pro Plus; Deebot X5 Pro; Deebot X2s; Deebot X2 Omni
Vendor: CVE Published:; 23 January 2025

What is CVE-2024-52330?

ECOVACS lawnmowers and vacuums suffer from a failure to adequately validate TLS certificates, allowing unauthenticated attackers to intercept and potentially alter TLS traffic. This vulnerability poses a significant security risk, as it enables the possibility of modifying firmware updates, which could lead to unauthorized control over these devices and expose users to further threats.

Affected Version(s)

DEEBOT T10 0 < 1.7.5

DEEBOT T10 OMNI 0 < 1.9.0

DEEBOT T10 PLUS 0 < 1.7.5

References

https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ec...

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-...

https://www.ecovacs.com/global/userhelp/dsa20241217001

CVSS V4

Score:

9.5

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 23, 2025
Vulnerability Reserved
Nov 8, 2024

CVE-2024-52330 Data

JSON

Ecovacs

What is CVE-2024-52330?

Affected Version(s)

References

CVSS V4

Timeline