MidnightBSD

Advisories for ecovacs

CVE-2024-11147

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 7.6 HIGH CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 0.9 6.0

Products Affected

Vendor Product Version
ecovacs deebot_x1_firmware -
ecovacs airbot_andy_firmware -
ecovacs deebot_t8_firmware -
ecovacs deebot_n9_firmware -
ecovacs deebot_n8_firmware -
ecovacs deebot_n10_firmware -
ecovacs deebot_x2_firmware -
ecovacs airbot_z1_firmware -
ecovacs airbot_ava_firmware -
ecovacs deebot_t10_firmware -
ecovacs deebot_t9_firmware -
ecovacs deebot_t20_firmware -
ecovacs goat_g1_firmware -
ecovacs deebot_900_firmware -
CVE-2024-12078

ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
ecovacs deebot_x1_firmware -
ecovacs airbot_andy_firmware -
ecovacs deebot_t8_firmware -
ecovacs deebot_n9_firmware -
ecovacs deebot_n8_firmware -
ecovacs deebot_n10_firmware -
ecovacs deebot_x2_firmware -
ecovacs airbot_z1_firmware -
ecovacs airbot_ava_firmware -
ecovacs deebot_t10_firmware -
ecovacs deebot_t9_firmware -
ecovacs deebot_t20_firmware -
ecovacs goat_g1_firmware -
ecovacs deebot_900_firmware -
CVE-2024-12079

ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 3.3 LOW CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 1.8 1.4

Products Affected

Vendor Product Version
ecovacs deebot_x1_firmware -
ecovacs airbot_andy_firmware -
ecovacs deebot_t8_firmware -
ecovacs deebot_n9_firmware -
ecovacs deebot_n8_firmware -
ecovacs deebot_n10_firmware -
ecovacs deebot_x2_firmware -
ecovacs airbot_z1_firmware -
ecovacs airbot_ava_firmware -
ecovacs deebot_t10_firmware -
ecovacs deebot_t9_firmware -
ecovacs deebot_t20_firmware -
ecovacs goat_g1_firmware -
ecovacs deebot_900_firmware -
CVE-2024-52325

ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 9.6 CRITICAL CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 2.8 6.0

Products Affected

Vendor Product Version
ecovacs deebot_x5_pro_firmware *
ecovacs gx-600_firmware *
ecovacs deebot_x2s_firmware *
ecovacs goat_g1-2000_firmware *
ecovacs deebot_x5_pro_ultra_firmware *
ecovacs deebot_x2_omni_firmware *
ecovacs deebot_t30_omni_firmware *
ecovacs goat_g1_firmware *
ecovacs deebot_x5_pro_plus_firmware *
ecovacs deebot_x2_combo_firmware *
ecovacs goat_g1-800_firmware *
ecovacs deebot_t30s_firmware *
CVE-2024-52327

The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
ecovacs home *
CVE-2024-52328

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 2.3 LOW CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N 0.8 1.4

Products Affected

Vendor Product Version
ecovacs deebot_x1_firmware -
ecovacs airbot_andy_firmware -
ecovacs deebot_t8_firmware -
ecovacs deebot_n9_firmware -
ecovacs deebot_n8_firmware -
ecovacs deebot_n10_firmware -
ecovacs deebot_x2_firmware -
ecovacs airbot_z1_firmware -
ecovacs airbot_ava_firmware -
ecovacs deebot_t10_firmware -
ecovacs deebot_t9_firmware -
ecovacs deebot_t20_firmware -
ecovacs goat_g1_firmware -
ecovacs deebot_900_firmware -
CVE-2024-52329

ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
ecovacs home *
CVE-2024-52330

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 7.4 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N 2.2 5.2

Products Affected

Vendor Product Version
ecovacs deebot_x5_pro_firmware *
ecovacs deebot_t10_omni_firmware *
ecovacs deebot_x2s_firmware *
ecovacs deebot_t10_turbo_firmware *
ecovacs deebot_x5_pro_ultra_firmware *
ecovacs deebot_x1e_omni_firmware *
ecovacs deebot_x2_omni_firmware *
ecovacs mate_x_firmware *
ecovacs deebot_x1_turbo_firmware *
ecovacs deebot_x1s_pro_plus_firmware *
ecovacs deebot_x1_firmware *
ecovacs deebot_x1_pro_omni_firmware *
ecovacs deebot_x5_pro_plus_firmware *
ecovacs deebot_x1s_pro_firmware *
ecovacs deebot_x2_pro_firmware *
ecovacs deebot_x2_combo_firmware *
ecovacs deebot_t10_firmware *
ecovacs deebot_x1_plus_firmware *
ecovacs deebot_t10_plus_firmware *
ecovacs deebot_x1_omni_firmware *
CVE-2024-52331

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 7.5 HIGH CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H 1.6 5.9

Products Affected

Vendor Product Version
ecovacs deebot_x1_firmware -
ecovacs airbot_andy_firmware -
ecovacs deebot_t8_firmware -
ecovacs deebot_n9_firmware -
ecovacs deebot_n8_firmware -
ecovacs deebot_n10_firmware -
ecovacs deebot_x2_firmware -
ecovacs airbot_z1_firmware -
ecovacs airbot_ava_firmware -
ecovacs deebot_t10_firmware -
ecovacs deebot_t9_firmware -
ecovacs deebot_t20_firmware -
ecovacs goat_g1_firmware -
ecovacs deebot_900_firmware -
CVE-2025-30198

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
ecovacs deebot_t10_omni_firmware *
ecovacs deebot_t20_pro_plus_firmware *
ecovacs deebot_t10_turbo_firmware *
ecovacs deebot_t20_pro_firmware *
ecovacs deebot_t30_omni_firmware *
ecovacs deebot_x1_turbo_firmware *
ecovacs deebot_x1_pro_omni_firmware *
ecovacs deebot_t20_omni_firmware *
ecovacs deebot_x1s_pro_firmware *
ecovacs deebot_t10_firmware *
ecovacs deebot_t10_plus_firmware *
ecovacs deebot_x1_omni_firmware *
ecovacs deebot_t30s_firmware *
CVE-2025-30199

ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
ecovacs deebot_t10_omni_firmware *
ecovacs deebot_t20_pro_plus_firmware *
ecovacs deebot_t10_turbo_firmware *
ecovacs deebot_t20_pro_firmware *
ecovacs deebot_t30_omni_firmware *
ecovacs deebot_x1_turbo_firmware *
ecovacs deebot_x1_pro_omni_firmware *
ecovacs deebot_t20_omni_firmware *
ecovacs deebot_x1s_pro_firmware *
ecovacs deebot_t10_firmware *
ecovacs deebot_t10_plus_firmware *
ecovacs deebot_x1_omni_firmware *
ecovacs deebot_t30s_firmware *
CVE-2025-30200

ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
9119a7d8-5eab-497f-8521-727c672e3725 6.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

Products Affected

Vendor Product Version
ecovacs deebot_t10_omni_firmware *
ecovacs deebot_t20_pro_plus_firmware *
ecovacs deebot_t10_turbo_firmware *
ecovacs deebot_t20_pro_firmware *
ecovacs deebot_t30_omni_firmware *
ecovacs deebot_x1_turbo_firmware *
ecovacs deebot_x1_pro_omni_firmware *
ecovacs deebot_t20_omni_firmware *
ecovacs deebot_x1s_pro_firmware *
ecovacs deebot_t10_firmware *
ecovacs deebot_t10_plus_firmware *
ecovacs deebot_x1_omni_firmware *
ecovacs deebot_t30s_firmware *