CVE-2024-52328
- EPSS 0.04%
- Veröffentlicht 23.01.2025 17:15:14
- Zuletzt bearbeitet 23.09.2025 17:44:56
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
CVE-2024-52330
- EPSS 0.83%
- Veröffentlicht 23.01.2025 17:15:14
- Zuletzt bearbeitet 23.09.2025 17:48:33
ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
CVE-2024-52331
- EPSS 0.11%
- Veröffentlicht 23.01.2025 17:15:14
- Zuletzt bearbeitet 02.10.2025 15:15:52
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
CVE-2024-12078
- EPSS 0.11%
- Veröffentlicht 23.01.2025 17:15:13
- Zuletzt bearbeitet 23.09.2025 17:45:19
ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.
CVE-2024-12079
- EPSS 0.03%
- Veröffentlicht 23.01.2025 17:15:13
- Zuletzt bearbeitet 23.09.2025 17:45:43
ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
CVE-2024-11147
- EPSS 0.12%
- Veröffentlicht 23.01.2025 17:15:12
- Zuletzt bearbeitet 23.09.2025 17:44:13
ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.