Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    6 vulnerabilities by Ecovacs

    CVE-2025-2394 (GCVE-0-2025-2394)

    Vulnerability from nvd – Published: 2025-05-23 00:03 – Updated: 2025-09-30 05:50
    VLAI
    Title
    Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications
    Summary
    Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    TML
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-23T13:16:37.932318Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-23T13:16:47.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android",
                "iOS"
              ],
              "product": "Ecovacs Mobile and Android Application",
              "vendor": "Ecovacs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.3.0",
                  "versionType": "iOS, Android"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
                }
              ],
              "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T05:50:10.557Z",
            "orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
            "shortName": "TML"
          },
          "references": [
            {
              "url": "https://www.themissinglink.com.au/security-advisories/cve-2025-2394"
            },
            {
              "url": "https://www.ecovacs.com/global/userhelp/dsa20250507001"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
        "assignerShortName": "TML",
        "cveId": "CVE-2025-2394",
        "datePublished": "2025-05-23T00:03:32.603Z",
        "dateReserved": "2025-03-17T03:57:22.902Z",
        "dateUpdated": "2025-09-30T05:50:10.557Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52329 (GCVE-0-2024-52329)

    Vulnerability from nvd – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS HOME mobile app plugins do not properly validate TLS certificates
    Summary
    ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS ECOVACS HOME Unaffected: 3.0.0
    Affected: 0 , < 3.0.0 (custom)
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52329",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:47.220852Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:29.110Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ECOVACS HOME",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.0.0"
                },
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:36:06.533Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
            }
          ],
          "title": "ECOVACS HOME mobile app plugins do not properly validate TLS certificates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52329",
        "datePublished": "2025-01-23T16:36:06.533Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-02-12T20:41:29.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52327 (GCVE-0-2024-52327)

    Vulnerability from nvd – Published: 2025-01-23 16:39 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmower and vacuum cloud service live video PIN bypass
    Summary
    The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-603 - Use of Client-Side Authentication
    • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS ECOVACS HOME Affected: 0 , < 3.0.2 (custom)
    Unaffected: 3.0.2
    Create a notification for this product.
    ECOVACS cloud service Affected: 0 , < 2024-12-17 (custom)
    Unaffected: 2024-12-17
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52327",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:53:52.437051Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.703Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ECOVACS HOME",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "3.0.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "3.0.2"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "cloud service",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2024-12-17",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2024-12-17"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-603",
                  "description": "CWE-603 Use of Client-Side Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-807",
                  "description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:39:27.516Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
            }
          ],
          "title": "ECOVACS lawnmower and vacuum cloud service live video PIN bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52327",
        "datePublished": "2025-01-23T16:39:27.516Z",
        "dateReserved": "2024-11-08T01:06:02.404Z",
        "dateUpdated": "2025-02-12T20:41:28.703Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-2394 (GCVE-0-2025-2394)

    Vulnerability from cvelistv5 – Published: 2025-05-23 00:03 – Updated: 2025-09-30 05:50
    VLAI
    Title
    Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications
    Summary
    Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-798 - Use of Hard-coded Credentials
    Assigner
    TML
    Impacted products
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-2394",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-23T13:16:37.932318Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-23T13:16:47.733Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Android",
                "iOS"
              ],
              "product": "Ecovacs Mobile and Android Application",
              "vendor": "Ecovacs",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.3.0",
                  "versionType": "iOS, Android"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
                }
              ],
              "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-37",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-37 Retrieve Embedded Sensitive Data"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "Automatable": "NOT_DEFINED",
                "Recovery": "NOT_DEFINED",
                "Safety": "NOT_DEFINED",
                "attackComplexity": "LOW",
                "attackRequirements": "NONE",
                "attackVector": "PHYSICAL",
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "privilegesRequired": "NONE",
                "providerUrgency": "NOT_DEFINED",
                "subAvailabilityImpact": "HIGH",
                "subConfidentialityImpact": "HIGH",
                "subIntegrityImpact": "HIGH",
                "userInteraction": "NONE",
                "valueDensity": "NOT_DEFINED",
                "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
                "version": "4.0",
                "vulnAvailabilityImpact": "LOW",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "LOW",
                "vulnerabilityResponseEffort": "NOT_DEFINED"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-798",
                  "description": "CWE-798 Use of Hard-coded Credentials",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-09-30T05:50:10.557Z",
            "orgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
            "shortName": "TML"
          },
          "references": [
            {
              "url": "https://www.themissinglink.com.au/security-advisories/cve-2025-2394"
            },
            {
              "url": "https://www.ecovacs.com/global/userhelp/dsa20250507001"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "07aac9b9-e3e9-4d03-a447-764bd31371d7",
        "assignerShortName": "TML",
        "cveId": "CVE-2025-2394",
        "datePublished": "2025-05-23T00:03:32.603Z",
        "dateReserved": "2025-03-17T03:57:22.902Z",
        "dateUpdated": "2025-09-30T05:50:10.557Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52327 (GCVE-0-2024-52327)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:39 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS lawnmower and vacuum cloud service live video PIN bypass
    Summary
    The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-603 - Use of Client-Side Authentication
    • CWE-807 - Reliance on Untrusted Inputs in a Security Decision
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS ECOVACS HOME Affected: 0 , < 3.0.2 (custom)
    Unaffected: 3.0.2
    Create a notification for this product.
    ECOVACS cloud service Affected: 0 , < 2024-12-17 (custom)
    Unaffected: 2024-12-17
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52327",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:53:52.437051Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:28.703Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ECOVACS HOME",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "3.0.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "3.0.2"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "product": "cloud service",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "lessThan": "2024-12-17",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "2024-12-17"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-603",
                  "description": "CWE-603 Use of Client-Side Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-807",
                  "description": "CWE-807 Reliance on Untrusted Inputs in a Security Decision",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:39:27.516Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
            }
          ],
          "title": "ECOVACS lawnmower and vacuum cloud service live video PIN bypass"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52327",
        "datePublished": "2025-01-23T16:39:27.516Z",
        "dateReserved": "2024-11-08T01:06:02.404Z",
        "dateUpdated": "2025-02-12T20:41:28.703Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-52329 (GCVE-0-2024-52329)

    Vulnerability from cvelistv5 – Published: 2025-01-23 16:36 – Updated: 2025-02-12 20:41
    VLAI
    Title
    ECOVACS HOME mobile app plugins do not properly validate TLS certificates
    Summary
    ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-295 - Improper Certificate Validation
    Assigner
    Impacted products
    Vendor Product Version
    ECOVACS ECOVACS HOME Unaffected: 3.0.0
    Affected: 0 , < 3.0.0 (custom)
    Create a notification for this product.
    Date Public
    2023-12-27 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-52329",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-01-23T16:56:47.220852Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-02-12T20:41:29.110Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ECOVACS HOME",
              "vendor": "ECOVACS",
              "versions": [
                {
                  "status": "unaffected",
                  "version": "3.0.0"
                },
                {
                  "lessThan": "3.0.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "datePublic": "2023-12-27T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 9.5,
                "baseSeverity": "CRITICAL",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
                "version": "4.0"
              },
              "format": "CVSS"
            },
            {
              "cvssV3_1": {
                "baseScore": 7.4,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-295",
                  "description": "CWE-295 Improper Certificate Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-01-23T16:36:06.533Z",
            "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
            "shortName": "cisa-cg"
          },
          "references": [
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
            },
            {
              "name": "url",
              "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
            },
            {
              "name": "url",
              "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
            }
          ],
          "title": "ECOVACS HOME mobile app plugins do not properly validate TLS certificates"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "assignerShortName": "cisa-cg",
        "cveId": "CVE-2024-52329",
        "datePublished": "2025-01-23T16:36:06.533Z",
        "dateReserved": "2024-11-08T01:06:02.405Z",
        "dateUpdated": "2025-02-12T20:41:29.110Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }