CVE-2024-52331

Summary

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

Affected Software

VendorProductVersion RangeStatus
ECOVACSUnspecified robots*affected

Weaknesses

  • CWE-494: CWE-494 Download of Code Without Integrity Check
  • CWE-1391: CWE-1391 Use of Weak Credentials
  • CWE-327: CWE-327 Use of a Broken or Risky Cryptographic Algorithm

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References