CVE-2024-52330

Summary

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

Affected Software

VendorProductVersion RangeStatus
ECOVACSDEEBOT X5 PRO PLUS1.38.0unaffected
ECOVACSDEEBOT X5 PRO PLUS0 < 1.38.0affected
ECOVACSDEEBOT X5 PRO1.70.0unaffected
ECOVACSDEEBOT X5 PRO0 < 1.70.0affected
ECOVACSDEEBOT X2S0 < 1.49.0affected
ECOVACSDEEBOT X2S1.49.0unaffected
ECOVACSDEEBOT X2 OMNI1.76.6unaffected
ECOVACSDEEBOT X2 OMNI0 < 1.76.6affected
ECOVACSDEEBOT X1 TURBO0 < 2.4.41affected
ECOVACSDEEBOT X1 TURBO2.4.41unaffected
ECOVACSDEEBOT X11.7.3unaffected
ECOVACSDEEBOT X10 < 1.7.3affected
ECOVACSDEEBOT X1S PRO2.5.31unaffected
ECOVACSDEEBOT X1S PRO0 < 2.5.31affected
ECOVACSDEEBOT X1e OMNI2.4.42unaffected
ECOVACSDEEBOT X1e OMNI0 < 2.4.42affected
ECOVACSDEEBOT T10 PLUS1.7.5unaffected
ECOVACSDEEBOT T10 PLUS0 < 1.7.5affected
ECOVACSDEEBOT T10 OMNI0 < 1.9.0affected
ECOVACSDEEBOT T10 OMNI1.9.0unaffected
ECOVACSDEEBOT X5 PRO ULTRA0 < 1.17.0affected
ECOVACSDEEBOT X5 PRO ULTRA1.17.0unaffected
ECOVACSMate X1.44.18unaffected
ECOVACSMate X0 < 1.44.18affected
ECOVACSDEEBOT X2 PRO1.76.6unaffected
ECOVACSDEEBOT X2 PRO0 < 1.76.6affected
ECOVACSDEEBOT X2 COMBO0 < 1.81.10affected
ECOVACSDEEBOT X2 COMBO1.81.10unaffected
ECOVACSDEEBOT X1 OMNI0 < 2.4.41affected
ECOVACSDEEBOT X1 OMNI2.4.41unaffected
ECOVACSDEEBOT X1 PRO OMNI2.4.41unaffected
ECOVACSDEEBOT X1 PRO OMNI0 < 2.4.41affected
ECOVACSDEEBOT X1 PLUS1.7.3unaffected
ECOVACSDEEBOT X1 PLUS0 < 1.7.3affected
ECOVACSDEEBOT X1S PRO PLUS1.23.0unaffected
ECOVACSDEEBOT X1S PRO PLUS0 < 1.23.0affected
ECOVACSDEEBOT T10 TURBO1.10.0unaffected
ECOVACSDEEBOT T10 TURBO0 < 1.10.0affected
ECOVACSDEEBOT T100 < 1.7.5affected
ECOVACSDEEBOT T101.7.5unaffected

Weaknesses

  • CWE-295: CWE-295 Improper Certificate Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References