CVE-2024-52330

moderate-risk

Published 2025-01-23

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

Do I need to act?

0.66% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.4/10 High

NETWORK / HIGH complexity

Affected Products (20)

Deebot X2 Omni Firmware

Deebot X2 Combo Firmware

Deebot X2S Firmware

Deebot X5 Pro Firmware

Deebot X5 Pro Plus Firmware

Deebot X5 Pro Ultra Firmware

Mate X Firmware

Deebot X1 Omni Firmware

Deebot X1 Turbo Firmware

Deebot X1 Pro Omni Firmware

Deebot X1 Firmware

Deebot X1 Plus Firmware

Deebot X1S Pro Firmware

Deebot X1S Pro Plus Firmware

Deebot X1E Omni Firmware

Deebot T10 Turbo Firmware

Deebot T10 Plus Firmware

Deebot T10 Firmware

Deebot T10 Omni Firmware

Deebot X2 Pro Firmware

Affected Vendors

Ecovacs

References (3)

Exploit https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf

Exploit https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf

Vendor Advisory https://www.ecovacs.com/global/userhelp/dsa20241217001

/ 100

moderate-risk

Severity 22/34 · High

Exploitability 2/34 · Minimal

Exposure 20/34 · Moderate