CVE-2024-52325 - Vulnerability Details

Link	Providers
https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf
https://www.ecovacs.com/global/userhelp/dsa20241119
https://www.ecovacs.com/global/userhelp/dsa20241130001
https://youtu.be/_wUsM0Mlenc?t=2041

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Type	Values Removed	Values Added
Description		ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
Title		ECOVACS robot lawnmowers and vacuums command injection
Weaknesses		CWE-77
References		https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf https://www.ecovacs.com/global/userhelp/dsa20241119 https://www.ecovacs.com/global/userhelp/dsa20241130001 https://youtu.be/_wUsM0Mlenc?t=2041
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}` cvssV4_0 `{'score': 5.8, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H'}`

Show plain JSON

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-52325", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2024-11-08T01:06:02.404Z", "datePublished": "2025-01-23T15:56:30.185Z", "dateUpdated": "2025-02-12T20:41:26.651Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection."}], "affected": [{"vendor": "ECOVACS", "product": "GOAT G1", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.36.187", "versionType": "custom"}, {"version": "1.36.187", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "GOAT G1-800", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.36.187", "versionType": "custom"}, {"version": "1.36.187", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "DEEBOT X2S", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.49.0", "versionType": "custom"}, {"version": "1.49.0", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "DEEBOT X5 PRO", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.70.0", "versionType": "custom"}, {"version": "1.70.0", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "DEEBOT X5 PRO PLUS", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.38.0", "versionType": "custom"}, {"version": "1.38.0", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "DEEBOT T30 OMNI", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.93.0", "versionType": "custom"}, {"version": "1.93.0", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "DEEBOT T30S", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.95.0", "versionType": "custom"}, {"version": "1.95.0", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "GOAT G1-2000", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.36.187", "versionType": "custom"}, {"version": "1.36.187", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "GOAT GX-600", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.2.120", "versionType": "custom"}, {"version": "1.2.120", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "DEEBOT X2  OMNI", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.76.6", "versionType": "custom"}, {"version": "1.76.6", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "DEEBOT X2 COMBO", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.81.10", "versionType": "custom"}, {"version": "1.81.10", "status": "unaffected"}]}, {"vendor": "ECOVACS", "product": "DEEBOT X5 PRO ULTRA", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.17.0", "versionType": "custom"}, {"version": "1.17.0", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en", "type": "CWE", "cweId": "CWE-77"}]}], "metrics": [{"cvssV4_0": {"baseScore": 5.8, "baseSeverity": "MEDIUM", "version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"}, "format": "CVSS"}, {"cvssV3_1": {"baseScore": 9.6, "baseSeverity": "CRITICAL", "version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}, "format": "CVSS"}], "title": "ECOVACS robot lawnmowers and vacuums command injection", "references": [{"name": "url", "url": "https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf"}, {"name": "url", "url": "https://youtu.be/_wUsM0Mlenc?t=2041"}, {"name": "url", "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"}, {"name": "url", "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"}], "datePublic": "2024-08-11T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2025-01-24T15:04:12.565Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52325", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-23T16:11:52.931430Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:41:26.651Z"}}]}}

{

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

cveMetadata : { »

cveId : CVE-2024-52325 (string)

assignerOrgId : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

state : PUBLISHED (string)

assignerShortName : cisa-cg (string)

dateReserved : 2024-11-08T01:06:02.404Z (string)

datePublished : 2025-01-23T15:56:30.185Z (string)

dateUpdated : 2025-02-12T20:41:26.651Z (string)

}

containers : { »

cna : { »

descriptions : [ »

0 : { »

lang : en (string)

value : ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection. (string)

}

]

affected : [ »

0 : { »

vendor : ECOVACS (string)

product : GOAT G1 (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.36.187 (string)

versionType : custom (string)

}

1 : { »

version : 1.36.187 (string)

status : unaffected (string)

}

]

}

1 : { »

vendor : ECOVACS (string)

product : GOAT G1-800 (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.36.187 (string)

versionType : custom (string)

}

1 : { »

version : 1.36.187 (string)

status : unaffected (string)

}

]

}

2 : { »

vendor : ECOVACS (string)

product : DEEBOT X2S (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.49.0 (string)

versionType : custom (string)

}

1 : { »

version : 1.49.0 (string)

status : unaffected (string)

}

]

}

3 : { »

vendor : ECOVACS (string)

product : DEEBOT X5 PRO (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.70.0 (string)

versionType : custom (string)

}

1 : { »

version : 1.70.0 (string)

status : unaffected (string)

}

]

}

4 : { »

vendor : ECOVACS (string)

product : DEEBOT X5 PRO PLUS (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.38.0 (string)

versionType : custom (string)

}

1 : { »

version : 1.38.0 (string)

status : unaffected (string)

}

]

}

5 : { »

vendor : ECOVACS (string)

product : DEEBOT T30 OMNI (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.93.0 (string)

versionType : custom (string)

}

1 : { »

version : 1.93.0 (string)

status : unaffected (string)

}

]

}

6 : { »

vendor : ECOVACS (string)

product : DEEBOT T30S (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.95.0 (string)

versionType : custom (string)

}

1 : { »

version : 1.95.0 (string)

status : unaffected (string)

}

]

}

7 : { »

vendor : ECOVACS (string)

product : GOAT G1-2000 (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.36.187 (string)

versionType : custom (string)

}

1 : { »

version : 1.36.187 (string)

status : unaffected (string)

}

]

}

8 : { »

vendor : ECOVACS (string)

product : GOAT GX-600 (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.2.120 (string)

versionType : custom (string)

}

1 : { »

version : 1.2.120 (string)

status : unaffected (string)

}

]

}

9 : { »

vendor : ECOVACS (string)

product : DEEBOT X2 OMNI (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.76.6 (string)

versionType : custom (string)

}

1 : { »

version : 1.76.6 (string)

status : unaffected (string)

}

]

}

10 : { »

vendor : ECOVACS (string)

product : DEEBOT X2 COMBO (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.81.10 (string)

versionType : custom (string)

}

1 : { »

version : 1.81.10 (string)

status : unaffected (string)

}

]

}

11 : { »

vendor : ECOVACS (string)

product : DEEBOT X5 PRO ULTRA (string)

defaultStatus : unknown (string)

versions : [ »

0 : { »

version : 0 (string)

status : affected (string)

lessThan : 1.17.0 (string)

versionType : custom (string)

}

1 : { »

version : 1.17.0 (string)

status : unaffected (string)

}

]

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

description : CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') (string)

lang : en (string)

type : CWE (string)

cweId : CWE-77 (string)

}

]

}

]

metrics : [ »

0 : { »

cvssV4_0 : { »

baseScore : 5.8 (number)

baseSeverity : MEDIUM (string)

version : 4.0 (string)

vectorString : CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (string)

}

format : CVSS (string)

}

1 : { »

cvssV3_1 : { »

baseScore : 9.6 (number)

baseSeverity : CRITICAL (string)

version : 3.1 (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (string)

}

format : CVSS (string)

}

]

title : ECOVACS robot lawnmowers and vacuums command injection (string)

references : [ »

0 : { »

name : url (string)

url : https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf (string)

}

1 : { »

name : url (string)

url : https://youtu.be/_wUsM0Mlenc?t=2041 (string)

}

2 : { »

name : url (string)

url : https://www.ecovacs.com/global/userhelp/dsa20241130001 (string)

}

3 : { »

name : url (string)

url : https://www.ecovacs.com/global/userhelp/dsa20241119 (string)

}

]

datePublic : 2024-08-11T00:00:00.000Z (string)

providerMetadata : { »

orgId : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

shortName : cisa-cg (string)

dateUpdated : 2025-01-24T15:04:12.565Z (string)

}

adp : [ »

0 : { »

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-52325 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : total (string)

}

]

version : 2.0.3 (string)

timestamp : 2025-01-23T16:11:52.931430Z (string)

}

]

title : CISA ADP Vulnrichment (string)

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-02-12T20:41:26.651Z (string)

}

]

}

Show plain JSON

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-52325", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-01-23T16:11:52.931430Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T20:34:47.477Z"}}], "cna": {"title": "ECOVACS robot lawnmowers and vacuums command injection", "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"}}, {"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 9.6, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"}}], "affected": [{"vendor": "ECOVACS", "product": "GOAT G1", "versions": [{"status": "affected", "version": "0", "lessThan": "1.36.187", "versionType": "custom"}, {"status": "unaffected", "version": "1.36.187"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "GOAT G1-800", "versions": [{"status": "affected", "version": "0", "lessThan": "1.36.187", "versionType": "custom"}, {"status": "unaffected", "version": "1.36.187"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "DEEBOT X2S", "versions": [{"status": "affected", "version": "0", "lessThan": "1.49.0", "versionType": "custom"}, {"status": "unaffected", "version": "1.49.0"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "DEEBOT X5 PRO", "versions": [{"status": "affected", "version": "0", "lessThan": "1.70.0", "versionType": "custom"}, {"status": "unaffected", "version": "1.70.0"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "DEEBOT X5 PRO PLUS", "versions": [{"status": "affected", "version": "0", "lessThan": "1.38.0", "versionType": "custom"}, {"status": "unaffected", "version": "1.38.0"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "DEEBOT T30 OMNI", "versions": [{"status": "affected", "version": "0", "lessThan": "1.93.0", "versionType": "custom"}, {"status": "unaffected", "version": "1.93.0"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "DEEBOT T30S", "versions": [{"status": "affected", "version": "0", "lessThan": "1.95.0", "versionType": "custom"}, {"status": "unaffected", "version": "1.95.0"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "GOAT G1-2000", "versions": [{"status": "affected", "version": "0", "lessThan": "1.36.187", "versionType": "custom"}, {"status": "unaffected", "version": "1.36.187"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "GOAT GX-600", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.120", "versionType": "custom"}, {"status": "unaffected", "version": "1.2.120"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "DEEBOT X2  OMNI", "versions": [{"status": "affected", "version": "0", "lessThan": "1.76.6", "versionType": "custom"}, {"status": "unaffected", "version": "1.76.6"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "DEEBOT X2 COMBO", "versions": [{"status": "affected", "version": "0", "lessThan": "1.81.10", "versionType": "custom"}, {"status": "unaffected", "version": "1.81.10"}], "defaultStatus": "unknown"}, {"vendor": "ECOVACS", "product": "DEEBOT X5 PRO ULTRA", "versions": [{"status": "affected", "version": "0", "lessThan": "1.17.0", "versionType": "custom"}, {"status": "unaffected", "version": "1.17.0"}], "defaultStatus": "unknown"}], "datePublic": "2024-08-11T00:00:00.000Z", "references": [{"url": "https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf", "name": "url"}, {"url": "https://youtu.be/_wUsM0Mlenc?t=2041", "name": "url"}, {"url": "https://www.ecovacs.com/global/userhelp/dsa20241130001", "name": "url"}, {"url": "https://www.ecovacs.com/global/userhelp/dsa20241119", "name": "url"}], "descriptions": [{"lang": "en", "value": "ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2025-01-24T15:04:12.565Z"}}}, "cveMetadata": {"cveId": "CVE-2024-52325", "state": "PUBLISHED", "dateUpdated": "2025-02-12T20:41:26.651Z", "dateReserved": "2024-11-08T01:06:02.404Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2025-01-23T15:56:30.185Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.1"}

{

dataType : CVE_RECORD (string)

containers : { »

adp : [ »

0 : { »

title : CISA ADP Vulnrichment (string)

metrics : [ »

0 : { »

other : { »

type : ssvc (string)

content : { »

id : CVE-2024-52325 (string)

role : CISA Coordinator (string)

options : [ »

0 : { »

Exploitation : none (string)

}

1 : { »

Automatable : no (string)

}

2 : { »

Technical Impact : total (string)

}

]

version : 2.0.3 (string)

timestamp : 2025-01-23T16:11:52.931430Z (string)

}

]

providerMetadata : { »

orgId : 134c704f-9b21-4f2e-91b3-4a467353bcc0 (string)

shortName : CISA-ADP (string)

dateUpdated : 2025-02-12T20:34:47.477Z (string)

}

]

cna : { »

title : ECOVACS robot lawnmowers and vacuums command injection (string)

metrics : [ »

0 : { »

format : CVSS (string)

cvssV4_0 : { »

version : 4.0 (string)

baseScore : 5.8 (number)

baseSeverity : MEDIUM (string)

vectorString : CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H (string)

}

1 : { »

format : CVSS (string)

cvssV3_1 : { »

version : 3.1 (string)

baseScore : 9.6 (number)

baseSeverity : CRITICAL (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (string)

}

]

affected : [ »

0 : { »

vendor : ECOVACS (string)

product : GOAT G1 (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.36.187 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.36.187 (string)

}

]

defaultStatus : unknown (string)

}

1 : { »

vendor : ECOVACS (string)

product : GOAT G1-800 (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.36.187 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.36.187 (string)

}

]

defaultStatus : unknown (string)

}

2 : { »

vendor : ECOVACS (string)

product : DEEBOT X2S (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.49.0 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.49.0 (string)

}

]

defaultStatus : unknown (string)

}

3 : { »

vendor : ECOVACS (string)

product : DEEBOT X5 PRO (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.70.0 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.70.0 (string)

}

]

defaultStatus : unknown (string)

}

4 : { »

vendor : ECOVACS (string)

product : DEEBOT X5 PRO PLUS (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.38.0 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.38.0 (string)

}

]

defaultStatus : unknown (string)

}

5 : { »

vendor : ECOVACS (string)

product : DEEBOT T30 OMNI (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.93.0 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.93.0 (string)

}

]

defaultStatus : unknown (string)

}

6 : { »

vendor : ECOVACS (string)

product : DEEBOT T30S (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.95.0 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.95.0 (string)

}

]

defaultStatus : unknown (string)

}

7 : { »

vendor : ECOVACS (string)

product : GOAT G1-2000 (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.36.187 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.36.187 (string)

}

]

defaultStatus : unknown (string)

}

8 : { »

vendor : ECOVACS (string)

product : GOAT GX-600 (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.2.120 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.2.120 (string)

}

]

defaultStatus : unknown (string)

}

9 : { »

vendor : ECOVACS (string)

product : DEEBOT X2 OMNI (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.76.6 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.76.6 (string)

}

]

defaultStatus : unknown (string)

}

10 : { »

vendor : ECOVACS (string)

product : DEEBOT X2 COMBO (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.81.10 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.81.10 (string)

}

]

defaultStatus : unknown (string)

}

11 : { »

vendor : ECOVACS (string)

product : DEEBOT X5 PRO ULTRA (string)

versions : [ »

0 : { »

status : affected (string)

version : 0 (string)

lessThan : 1.17.0 (string)

versionType : custom (string)

}

1 : { »

status : unaffected (string)

version : 1.17.0 (string)

}

]

defaultStatus : unknown (string)

}

]

datePublic : 2024-08-11T00:00:00.000Z (string)

references : [ »

0 : { »

url : https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf (string)

name : url (string)

}

1 : { »

url : https://youtu.be/_wUsM0Mlenc?t=2041 (string)

name : url (string)

}

2 : { »

url : https://www.ecovacs.com/global/userhelp/dsa20241130001 (string)

name : url (string)

}

3 : { »

url : https://www.ecovacs.com/global/userhelp/dsa20241119 (string)

name : url (string)

}

]

descriptions : [ »

0 : { »

lang : en (string)

value : ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

lang : en (string)

type : CWE (string)

cweId : CWE-77 (string)

description : CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') (string)

}

]

}

]

providerMetadata : { »

orgId : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

shortName : cisa-cg (string)

dateUpdated : 2025-01-24T15:04:12.565Z (string)

}

cveMetadata : { »

cveId : CVE-2024-52325 (string)

state : PUBLISHED (string)

dateUpdated : 2025-02-12T20:41:26.651Z (string)

dateReserved : 2024-11-08T01:06:02.404Z (string)

assignerOrgId : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

datePublished : 2025-01-23T15:56:30.185Z (string)

assignerShortName : cisa-cg (string)

}

dataVersion : 5.1 (string)

}

Show plain JSON

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection."}], "id": "CVE-2024-52325", "lastModified": "2025-01-23T16:15:35.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "ADJACENT", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "HIGH", "subsequentSystemConfidentiality": "HIGH", "subsequentSystemIntegrity": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "NONE", "vulnerableSystemIntegrity": "NONE"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2025-01-23T16:15:35.943", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://www.ecovacs.com/global/userhelp/dsa20241119"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://www.ecovacs.com/global/userhelp/dsa20241130001"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "url": "https://youtu.be/_wUsM0Mlenc?t=2041"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection. (string)

}

]

id : CVE-2024-52325 (string)

lastModified : 2025-01-23T16:15:35.943 (string)

metrics : { »

cvssMetricV31 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackVector : ADJACENT_NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 9.6 (number)

baseSeverity : CRITICAL (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : CHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (string)

version : 3.1 (string)

}

exploitabilityScore : 2.8 (number)

impactScore : 6 (number)

source : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

type : Secondary (string)

}

]

cvssMetricV40 : [ »

0 : { »

cvssData : { »

attackComplexity : LOW (string)

attackRequirements : PRESENT (string)

attackVector : ADJACENT (string)

automatable : NOT_DEFINED (string)

availabilityRequirements : NOT_DEFINED (string)

baseScore : 5.8 (number)

baseSeverity : MEDIUM (string)

confidentialityRequirements : NOT_DEFINED (string)

exploitMaturity : NOT_DEFINED (string)

integrityRequirements : NOT_DEFINED (string)

modifiedAttackComplexity : NOT_DEFINED (string)

modifiedAttackRequirements : NOT_DEFINED (string)

modifiedAttackVector : NOT_DEFINED (string)

modifiedPrivilegesRequired : NOT_DEFINED (string)

modifiedSubsequentSystemAvailability : NOT_DEFINED (string)

modifiedSubsequentSystemConfidentiality : NOT_DEFINED (string)

modifiedSubsequentSystemIntegrity : NOT_DEFINED (string)

modifiedUserInteraction : NOT_DEFINED (string)

modifiedVulnerableSystemAvailability : NOT_DEFINED (string)

modifiedVulnerableSystemConfidentiality : NOT_DEFINED (string)

modifiedVulnerableSystemIntegrity : NOT_DEFINED (string)

privilegesRequired : NONE (string)

providerUrgency : NOT_DEFINED (string)

recovery : NOT_DEFINED (string)

safety : NOT_DEFINED (string)

subsequentSystemAvailability : HIGH (string)

subsequentSystemConfidentiality : HIGH (string)

subsequentSystemIntegrity : HIGH (string)

userInteraction : NONE (string)

valueDensity : NOT_DEFINED (string)

vectorString : CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X (string)

version : 4.0 (string)

vulnerabilityResponseEffort : NOT_DEFINED (string)

vulnerableSystemAvailability : NONE (string)

vulnerableSystemConfidentiality : NONE (string)

vulnerableSystemIntegrity : NONE (string)

}

source : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

type : Secondary (string)

}

]

}

published : 2025-01-23T16:15:35.943 (string)

references : [ »

0 : { »

source : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

url : https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf (string)

}

1 : { »

source : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

url : https://www.ecovacs.com/global/userhelp/dsa20241119 (string)

}

2 : { »

source : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

url : https://www.ecovacs.com/global/userhelp/dsa20241130001 (string)

}

3 : { »

source : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

url : https://youtu.be/_wUsM0Mlenc?t=2041 (string)

}

]

sourceIdentifier : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

vulnStatus : Received (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-77 (string)

}

]

source : 9119a7d8-5eab-497f-8521-727c672e3725 (string)

type : Secondary (string)

}

]

}

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Metrics

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object