CVE-2024-52325

Summary

ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.

Affected Software

VendorProductVersion RangeStatus
ECOVACSGOAT G10 < 1.36.187affected
ECOVACSGOAT G11.36.187unaffected
ECOVACSGOAT G1-8000 < 1.36.187affected
ECOVACSGOAT G1-8001.36.187unaffected
ECOVACSDEEBOT X2S0 < 1.49.0affected
ECOVACSDEEBOT X2S1.49.0unaffected
ECOVACSDEEBOT X5 PRO0 < 1.70.0affected
ECOVACSDEEBOT X5 PRO1.70.0unaffected
ECOVACSDEEBOT X5 PRO PLUS0 < 1.38.0affected
ECOVACSDEEBOT X5 PRO PLUS1.38.0unaffected
ECOVACSDEEBOT T30 OMNI0 < 1.93.0affected
ECOVACSDEEBOT T30 OMNI1.93.0unaffected
ECOVACSDEEBOT T30S0 < 1.95.0affected
ECOVACSDEEBOT T30S1.95.0unaffected
ECOVACSGOAT G1-20000 < 1.36.187affected
ECOVACSGOAT G1-20001.36.187unaffected
ECOVACSGOAT GX-6000 < 1.2.120affected
ECOVACSGOAT GX-6001.2.120unaffected
ECOVACSDEEBOT X2 OMNI0 < 1.76.6affected
ECOVACSDEEBOT X2 OMNI1.76.6unaffected
ECOVACSDEEBOT X2 COMBO0 < 1.81.10affected
ECOVACSDEEBOT X2 COMBO1.81.10unaffected
ECOVACSDEEBOT X5 PRO ULTRA0 < 1.17.0affected
ECOVACSDEEBOT X5 PRO ULTRA1.17.0unaffected

Weaknesses

  • CWE-77: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References