Sensitive Data Exposure in Ecovacs Home Mobile Applications for Android and iOS
CVE-2025-2394

4.7MEDIUM

Key Information:

Vendor: Ecovacs
Status: Ecovacs Mobile And Android Application
Vendor: CVE Published:; 23 May 2025

What is CVE-2025-2394?

The Ecovacs Home mobile applications for Android and iOS, up to version 3.3.0, were found to contain hardcoded access keys and secrets for Alibaba Object Storage Service (OSS). This vulnerability could allow malicious actors to exploit these credentials, potentially leading to unauthorized access and the exposure of sensitive user data. Users are advised to update their applications promptly and review access controls related to their data.

Affected Version(s)

Ecovacs Mobile and Android Application Android 3.3.0

References

https://www.themissinglink.com.au/security-advisories/cve...

https://www.ecovacs.com/global/userhelp/dsa20250507001

CVSS V4

Score:

4.7

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Physical

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 23, 2025

CVE-2025-2394 Data

JSON