cvelistv5 - CVE-2024-52330

CVE-2024-52330

Vulnerability from cvelistv5

Published

2025-01-23 16:36

Modified

2025-02-12 20:41

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.5 (Critical) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Summary

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

References

▼	URL	Tags
	9119a7d8-5eab-497f-8521-727c672e3725	https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
	9119a7d8-5eab-497f-8521-727c672e3725	https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf
	9119a7d8-5eab-497f-8521-727c672e3725	https://www.ecovacs.com/global/userhelp/dsa20241217001

Impacted products

Vendor

Product

Version

▼

ECOVACS

DEEBOT X5 PRO PLUS

Version: 0 < 1.38.0

ECOVACS	DEEBOT X5 PRO	Version: 0 < 1.70.0
ECOVACS	DEEBOT X2S	Version: 0 < 1.49.0
ECOVACS	DEEBOT X2 OMNI	Version: 0 < 1.76.6
ECOVACS	DEEBOT X1 TURBO	Version: 0 < 2.4.41
ECOVACS	DEEBOT X1	Version: 0 < 1.7.3
ECOVACS	DEEBOT X1S PRO	Version: 0 < 2.5.31
ECOVACS	DEEBOT X1e OMNI	Version: 0 < 2.4.42
ECOVACS	DEEBOT T10 PLUS	Version: 0 < 1.7.5
ECOVACS	DEEBOT T10 OMNI	Version: 0 < 1.9.0
ECOVACS	DEEBOT X5 PRO ULTRA	Version: 0 < 1.17.0
ECOVACS	Mate X	Version: 0 < 1.44.18
ECOVACS	DEEBOT X2 PRO	Version: 0 < 1.76.6
ECOVACS	DEEBOT X2 COMBO	Version: 0 < 1.81.10
ECOVACS	DEEBOT X1 OMNI	Version: 0 < 2.4.41
ECOVACS	DEEBOT X1 PRO OMNI	Version: 0 < 2.4.41
ECOVACS	DEEBOT X1 PLUS	Version: 0 < 1.7.3
ECOVACS	DEEBOT X1S PRO PLUS	Version: 0 < 1.23.0
ECOVACS	DEEBOT T10 TURBO	Version: 0 < 1.10.0
ECOVACS	DEEBOT T10	Version: 0 < 1.7.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-52330",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-23T16:56:31.855219Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-12T20:41:28.969Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X5 PRO PLUS",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.38.0"
            },
            {
              "lessThan": "1.38.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X5 PRO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.70.0"
            },
            {
              "lessThan": "1.70.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X2S",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.49.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.49.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X2  OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.76.6"
            },
            {
              "lessThan": "1.76.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1 TURBO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "2.4.41",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2.4.41"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.7.3"
            },
            {
              "lessThan": "1.7.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1S PRO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.5.31"
            },
            {
              "lessThan": "2.5.31",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1e OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.4.42"
            },
            {
              "lessThan": "2.4.42",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT T10 PLUS",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.7.5"
            },
            {
              "lessThan": "1.7.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT T10 OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.9.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.9.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X5 PRO ULTRA",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.17.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.17.0"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "Mate X",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.44.18"
            },
            {
              "lessThan": "1.44.18",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X2 PRO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.76.6"
            },
            {
              "lessThan": "1.76.6",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X2 COMBO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.81.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.81.10"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1 OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "2.4.41",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "2.4.41"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1 PRO OMNI",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "2.4.41"
            },
            {
              "lessThan": "2.4.41",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1 PLUS",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.7.3"
            },
            {
              "lessThan": "1.7.3",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT X1S PRO PLUS",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.23.0"
            },
            {
              "lessThan": "1.23.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT T10 TURBO",
          "vendor": "ECOVACS",
          "versions": [
            {
              "status": "unaffected",
              "version": "1.10.0"
            },
            {
              "lessThan": "1.10.0",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unknown",
          "product": "DEEBOT T10",
          "vendor": "ECOVACS",
          "versions": [
            {
              "lessThan": "1.7.5",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "1.7.5"
            }
          ]
        }
      ],
      "datePublic": "2023-12-27T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        },
        {
          "cvssV4_0": {
            "baseScore": 9.5,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H",
            "version": "4.0"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-23T16:36:50.128Z",
        "orgId": "9119a7d8-5eab-497f-8521-727c672e3725",
        "shortName": "cisa-cg"
      },
      "references": [
        {
          "name": "url",
          "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
        },
        {
          "name": "url",
          "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
        },
        {
          "name": "url",
          "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
        }
      ],
      "title": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725",
    "assignerShortName": "cisa-cg",
    "cveId": "CVE-2024-52330",
    "datePublished": "2025-01-23T16:36:50.128Z",
    "dateReserved": "2024-11-08T01:06:02.405Z",
    "dateUpdated": "2025-02-12T20:41:28.969Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-52330\",\"sourceIdentifier\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"published\":\"2025-01-23T17:15:14.427\",\"lastModified\":\"2025-01-23T17:15:14.427\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.5,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnerableSystemConfidentiality\":\"HIGH\",\"vulnerableSystemIntegrity\":\"HIGH\",\"vulnerableSystemAvailability\":\"NONE\",\"subsequentSystemConfidentiality\":\"HIGH\",\"subsequentSystemIntegrity\":\"HIGH\",\"subsequentSystemAvailability\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirements\":\"NOT_DEFINED\",\"integrityRequirements\":\"NOT_DEFINED\",\"availabilityRequirements\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnerableSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedVulnerableSystemIntegrity\":\"NOT_DEFINED\",\"modifiedVulnerableSystemAvailability\":\"NOT_DEFINED\",\"modifiedSubsequentSystemConfidentiality\":\"NOT_DEFINED\",\"modifiedSubsequentSystemIntegrity\":\"NOT_DEFINED\",\"modifiedSubsequentSystemAvailability\":\"NOT_DEFINED\",\"safety\":\"NOT_DEFINED\",\"automatable\":\"NOT_DEFINED\",\"recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"references\":[{\"url\":\"https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"},{\"url\":\"https://www.ecovacs.com/global/userhelp/dsa20241217001\",\"source\":\"9119a7d8-5eab-497f-8521-727c672e3725\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-52330\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-23T16:56:31.855219Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-12T20:35:32.396Z\"}}], \"cna\": {\"title\": \"ECOVACS lawnmowers and vacuums do not properly validate TLS certificates\", \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N\"}}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9.5, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H\"}}], \"affected\": [{\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X5 PRO PLUS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.38.0\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.38.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X5 PRO\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.70.0\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.70.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X2S\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.49.0\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.49.0\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X2  OMNI\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.76.6\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.76.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1 TURBO\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.41\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"2.4.41\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.7.3\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1S PRO\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.5.31\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.5.31\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1e OMNI\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.42\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.42\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT T10 PLUS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.7.5\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.5\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT T10 OMNI\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.9.0\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.9.0\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X5 PRO ULTRA\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.17.0\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.17.0\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"Mate X\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.44.18\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.44.18\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X2 PRO\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.76.6\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.76.6\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X2 COMBO\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.81.10\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.81.10\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1 OMNI\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.41\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"2.4.41\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1 PRO OMNI\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"2.4.41\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.4.41\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1 PLUS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.7.3\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.3\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT X1S PRO PLUS\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.23.0\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.23.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT T10 TURBO\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"1.10.0\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.10.0\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"vendor\": \"ECOVACS\", \"product\": \"DEEBOT T10\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.7.5\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"1.7.5\"}], \"defaultStatus\": \"unknown\"}], \"datePublic\": \"2023-12-27T00:00:00.000Z\", \"references\": [{\"url\": \"https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf\", \"name\": \"url\"}, {\"url\": \"https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf\", \"name\": \"url\"}, {\"url\": \"https://www.ecovacs.com/global/userhelp/dsa20241217001\", \"name\": \"url\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295 Improper Certificate Validation\"}]}], \"providerMetadata\": {\"orgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"shortName\": \"cisa-cg\", \"dateUpdated\": \"2025-01-23T16:36:50.128Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-52330\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-12T20:41:28.969Z\", \"dateReserved\": \"2024-11-08T01:06:02.405Z\", \"assignerOrgId\": \"9119a7d8-5eab-497f-8521-727c672e3725\", \"datePublished\": \"2025-01-23T16:36:50.128Z\", \"assignerShortName\": \"cisa-cg\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

fkie_cve-2024-52330

Vulnerability from fkie_nvd

Published

2025-01-23 17:15

Modified

2025-01-23 17:15

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

References

▼	URL	Tags
	9119a7d8-5eab-497f-8521-727c672e3725	https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
	9119a7d8-5eab-497f-8521-727c672e3725	https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf
	9119a7d8-5eab-497f-8521-727c672e3725	https://www.ecovacs.com/global/userhelp/dsa20241217001

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates."
    },
    {
      "lang": "es",
      "value": "Las cortadoras de c\u00e9sped y las aspiradoras ECOVACS no validan correctamente los certificados TLS. Un atacante no autenticado puede leer o modificar el tr\u00e1fico TLS, posiblemente modificando las actualizaciones de firmware."
    }
  ],
  "id": "CVE-2024-52330",
  "lastModified": "2025-01-23T17:15:14.427",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.2,
        "source": "9119a7d8-5eab-497f-8521-727c672e3725",
        "type": "Secondary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "automatable": "NOT_DEFINED",
          "availabilityRequirements": "NOT_DEFINED",
          "baseScore": 9.5,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirements": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirements": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubsequentSystemAvailability": "NOT_DEFINED",
          "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED",
          "modifiedSubsequentSystemIntegrity": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnerableSystemAvailability": "NOT_DEFINED",
          "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED",
          "modifiedVulnerableSystemIntegrity": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "recovery": "NOT_DEFINED",
          "safety": "NOT_DEFINED",
          "subsequentSystemAvailability": "HIGH",
          "subsequentSystemConfidentiality": "HIGH",
          "subsequentSystemIntegrity": "HIGH",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnerabilityResponseEffort": "NOT_DEFINED",
          "vulnerableSystemAvailability": "NONE",
          "vulnerableSystemConfidentiality": "HIGH",
          "vulnerableSystemIntegrity": "HIGH"
        },
        "source": "9119a7d8-5eab-497f-8521-727c672e3725",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-23T17:15:14.427",
  "references": [
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
    },
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
    },
    {
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
    }
  ],
  "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-295"
        }
      ],
      "source": "9119a7d8-5eab-497f-8521-727c672e3725",
      "type": "Secondary"
    }
  ]
}

ghsa-m998-32q9-vxpx

Vulnerability from github

Published

2025-01-23 18:31

Modified

2025-01-23 18:31

Severity ?

7.4 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
9.5 (Critical) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Details

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2024-52330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-295"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T17:15:14Z",
    "severity": "CRITICAL"
  },
  "details": "ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.",
  "id": "GHSA-m998-32q9-vxpx",
  "modified": "2025-01-23T18:31:20Z",
  "published": "2025-01-23T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52330"
    },
    {
      "type": "WEB",
      "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
    },
    {
      "type": "WEB",
      "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ecovacs.com/global/userhelp/dsa20241217001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-52330

Vulnerability from cvelistv5

fkie_cve-2024-52330

Vulnerability from fkie_nvd

ghsa-m998-32q9-vxpx

Vulnerability from github

Tags

Sightings

Nomenclature