Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
4112021.7%CRITICAL

Related CVEs

12
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2025-30200ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived.LOW2.32.7%Sep 5, 2025
CVE-2025-30199ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station.HIGH7.518.4%Sep 5, 2025
CVE-2025-30198ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived.LOW2.310.3%Sep 5, 2025
CVE-2024-52331ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.HIGH7.711.1%Jan 23, 2025
CVE-2024-52330ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.CRITICAL9.525.3%Jan 23, 2025
CVE-2024-52329ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.CRITICAL9.528.4%Jan 23, 2025
CVE-2024-52328ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.LOW1.811.1%Jan 23, 2025
CVE-2024-52327The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.MEDIUM6.036.6%Jan 23, 2025
CVE-2024-12079ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.MEDIUM4.84.4%Jan 23, 2025
CVE-2024-12078ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.MEDIUM5.323.8%Jan 23, 2025
CVE-2024-11147ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.HIGH7.031.2%Jan 23, 2025
CVE-2024-52325ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.MEDIUM5.885.6%Jan 23, 2025