CVE-2024-52327

Summary

The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.

Affected Software

VendorProductVersion RangeStatus
ECOVACSECOVACS HOME0 < 3.0.2affected
ECOVACSECOVACS HOME3.0.2unaffected
ECOVACScloud service0 < 2024-12-17affected
ECOVACScloud service2024-12-17unaffected

Weaknesses

  • CWE-603: CWE-603 Use of Client-Side Authentication
  • CWE-807: CWE-807 Reliance on Untrusted Inputs in a Security Decision

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References