TLS Certificate Validation Flaw in ECOVACS Lawn Mowers and Vacuums
CVE-2024-52330

9.5CRITICAL

Key Information:

Vendor: Ecovacs
Status: Deebot X5 Pro Plus; Deebot X5 Pro; Deebot X2s; Deebot X2 Omni
Vendor: CVE Published:; 23 January 2025

What is CVE-2024-52330?

ECOVACS lawnmowers and vacuums suffer from a failure to adequately validate TLS certificates, allowing unauthenticated attackers to intercept and potentially alter TLS traffic. This vulnerability poses a significant security risk, as it enables the possibility of modifying firmware updates, which could lead to unauthorized control over these devices and expose users to further threats.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

DEEBOT T10 0 < 1.7.5

DEEBOT T10 OMNI 0 < 1.9.0

DEEBOT T10 PLUS 0 < 1.7.5

References

https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ec...

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-...

https://www.ecovacs.com/global/userhelp/dsa20241217001

CVSS V4

Score:

9.5

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jan 23, 2025
Vulnerability Reserved
Nov 8, 2024

JSON

Ecovacs