CVE-2024-52325

Exploit

EPSS 2.98%
Veröffentlicht 23.01.2025 16:15:35
Zuletzt bearbeitet 23.09.2025 17:35:35
Quelle 9119a7d8-5eab-497f-8521-727c67
CVE-Watchlists
Login
Unerledigt
Login

ECOVACS robot lawnmowers and vacuums command injection

ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 12 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ecovacs ≫ Goat G1-2000 Firmware Version < 1.36.187

Ecovacs ≫ Goat G1-2000 Version-

Ecovacs ≫ Goat G1 Firmware Version < 1.36.187

Ecovacs ≫ Goat G1 Version-

Ecovacs ≫ Goat G1-800 Firmware Version < 1.36.187

Ecovacs ≫ Goat G1-800 Version-

Ecovacs ≫ Gx-600 Firmware Version < 1.2.120

Ecovacs ≫ Gx-600 Version-

Ecovacs ≫ Deebot X2 Omni Firmware Version < 1.76.6

Ecovacs ≫ Deebot X2 Omni Version-

Ecovacs ≫ Deebot X2 Combo Firmware Version < 1.81.10

Ecovacs ≫ Deebot X2 Combo Version-

Ecovacs ≫ Deebot X2s Firmware Version < 1.49.0

Ecovacs ≫ Deebot X2s Version-

Ecovacs ≫ Deebot X5 Pro Firmware Version < 1.70.0

Ecovacs ≫ Deebot X5 Pro Version-

Ecovacs ≫ Deebot X5 Pro Plus Firmware Version < 1.38.0

Ecovacs ≫ Deebot X5 Pro Plus Version-

Ecovacs ≫ Deebot X5 Pro Ultra Firmware Version < 1.17.0

Ecovacs ≫ Deebot X5 Pro Ultra Version-

Ecovacs ≫ Deebot T30 Omni Firmware Version < 1.93.0

Ecovacs ≫ Deebot T30 Omni Version-

Ecovacs ≫ Deebot T30s Firmware Version < 1.95.0

Ecovacs ≫ Deebot T30s Version-

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.98%	0.855

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
9119a7d8-5eab-497f-8521-727c672e3725	5.8	0	0	CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
9119a7d8-5eab-497f-8521-727c672e3725	9.6	2.8	6	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf

Third Party Advisory

Exploit

https://www.ecovacs.com/global/userhelp/dsa20241119

Vendor Advisory

https://www.ecovacs.com/global/userhelp/dsa20241130001

Vendor Advisory

https://youtu.be/_wUsM0Mlenc?t=2041

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2024-52325

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52325

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52325

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-52325