CVE-2024-52325
published 2025-01-23CVE-2024-52325: ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
PriorityP261critical9.6CVSS 3.1
AVAACLPRNUINSCCHIHAH
EPSS
2.98%
85.6th percentile
ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ecovacs | deebot_t30_omni | < 1.93.0 | 1.93.0 |
| ecovacs | deebot_t30_omni_firmware | < 1.93.0 | 1.93.0 |
| ecovacs | deebot_t30s | < 1.95.0 | 1.95.0 |
| ecovacs | deebot_t30s_firmware | < 1.95.0 | 1.95.0 |
| ecovacs | deebot_x2_combo | < 1.81.10 | 1.81.10 |
| ecovacs | deebot_x2_combo_firmware | < 1.81.10 | 1.81.10 |
| ecovacs | deebot_x2_omni | < 1.76.6 | 1.76.6 |
| ecovacs | deebot_x2_omni_firmware | < 1.76.6 | 1.76.6 |
| ecovacs | deebot_x2s | < 1.49.0 | 1.49.0 |
| ecovacs | deebot_x2s_firmware | < 1.49.0 | 1.49.0 |
| ecovacs | deebot_x5_pro | < 1.70.0 | 1.70.0 |
| ecovacs | deebot_x5_pro_firmware | < 1.70.0 | 1.70.0 |
| ecovacs | deebot_x5_pro_plus | < 1.38.0 | 1.38.0 |
| ecovacs | deebot_x5_pro_plus_firmware | < 1.38.0 | 1.38.0 |
| ecovacs | deebot_x5_pro_ultra | < 1.17.0 | 1.17.0 |
| ecovacs | deebot_x5_pro_ultra_firmware | < 1.17.0 | 1.17.0 |
| ecovacs | goat_g1 | < 1.36.187 | 1.36.187 |
| ecovacs | goat_g1-2000 | < 1.36.187 | 1.36.187 |
| ecovacs | goat_g1-2000_firmware | < 1.36.187 | 1.36.187 |
| ecovacs | goat_g1-800 | < 1.36.187 | 1.36.187 |
| ecovacs | goat_g1-800_firmware | < 1.36.187 | 1.36.187 |
| ecovacs | goat_g1_firmware | < 1.36.187 | 1.36.187 |
| ecovacs | goat_gx-600 | < 1.2.120 | 1.2.120 |
| ecovacs | gx-600_firmware | < 1.2.120 | 1.2.120 |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.05.8MEDIUMCVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-01-23
Published