Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

ecovacs vulnerabilities and exploits

(subscribe to this query)
7.4
CVSSv3

CVE-2024-52330

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.
Ecovacs Deebot X5 Pro PlusEcovacs Deebot X5 ProEcovacs Deebot X2sEcovacs Deebot X2 OmniEcovacs Deebot X1 TurboEcovacs Deebot X1Ecovacs Deebot X1s ProEcovacs Deebot X1e OmniEcovacs Deebot T10 PlusEcovacs Deebot T10 OmniEcovacs Deebot X5 Pro UltraEcovacs Mate X
9.6
CVSSv3

CVE-2024-52325

ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
Ecovacs Goat G1Ecovacs Goat G1-800Ecovacs Deebot X2sEcovacs Deebot X5 ProEcovacs Deebot X5 Pro PlusEcovacs Deebot T30 OmniEcovacs Deebot T30sEcovacs Goat G1-2000Ecovacs Goat Gx-600Ecovacs Deebot X2 OmniEcovacs Deebot X2 ComboEcovacs Deebot X5 Pro Ultra
6.5
CVSSv3

CVE-2024-52327

The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated malicious users to bypass the PIN entry required to access the live video feed.
Ecovacs Ecovacs HomeEcovacs Cloud Service
7.4
CVSSv3

CVE-2024-52329

ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
Ecovacs Ecovacs Home
7.6
CVSSv3

CVE-2024-11147

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.
Ecovacs Unspecified Robots
3.3
CVSSv3

CVE-2024-12079

ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.
Ecovacs Unspecified Robots
6.3
CVSSv3

CVE-2024-12078

ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.
Ecovacs Unspecified Robots
2.3
CVSSv3

CVE-2024-52328

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
Ecovacs Unspecified Robots
7.5
CVSSv3

CVE-2024-52331

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
Ecovacs Unspecified Robots
NA

CVE-2024-42911

ECOVACS Robotics Deebot T20 OMNI and T20e OMNI prior to 1.24.0 exists to contain a WiFi Remote Code Execution vulnerability.
Preferred Score:
CVSSv3
CVSSv2
CVSSv3
CVSSv4
EPSS
VMScore
Recommendations:
type confusionunspecifiedCVE-2025-24200reflected XSSpanelCVE-2024-12549temporal technologies, inc.CVE-2024-21971CVE-2024-57777CVE-2023-31122CVE-2025-0909winzip computingunified secops platform
Home
/
Search Results
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook