CVE-2024-52329
9.5
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H
Summary
ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ECOVACS | ECOVACS HOME | 3.0.0 | unaffected |
| ECOVACS | ECOVACS HOME | 0 < 3.0.0 | affected |
Weaknesses
- CWE-295: CWE-295 Improper Certificate Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf
- https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
- https://www.ecovacs.com/global/userhelp/dsa20241217001
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.