CVE-2024-52327

The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf	Exploit Third Party Advisory
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf	Exploit Third Party Advisory
https://www.ecovacs.com/global/userhelp/dsa20241217002	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ecovacs:home::::::android::*
	cpe:2.3:a:ecovacs:home::::::iphone_os::*

History

23 Sep 2025, 17:34

Type	Values Removed	Values Added
First Time		Ecovacs home Ecovacs
References	~~() https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf -~~	() https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf - Exploit, Third Party Advisory
References	~~() https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf -~~	() https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf - Exploit, Third Party Advisory
References	~~() https://www.ecovacs.com/global/userhelp/dsa20241217002 -~~	() https://www.ecovacs.com/global/userhelp/dsa20241217002 - Vendor Advisory
CPE		cpe:2.3:a:ecovacs:home::::::iphone_os::* cpe:2.3:a:ecovacs:home::::::android::*
Summary		(es) El servicio en la nube utilizado por los robots cortacésped y aspiradores ECOVACS permite a atacantes autenticados eludir la entrada del PIN necesaria para acceder a la transmisión de vídeo en directo.

23 Jan 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-23 17:15

Updated : 2025-09-23 17:34

NVD link : CVE-2024-52327

Mitre link : CVE-2024-52327

CVE.ORG link : CVE-2024-52327

JSON object : View

Products Affected

ecovacs

home

CWE

CWE-603

Use of Client-Side Authentication

CWE-807

Reliance on Untrusted Inputs in a Security Decision

{"id": "CVE-2024-52327", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-01-23T17:15:13.890", "references": [{"url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}, {"url": "https://www.ecovacs.com/global/userhelp/dsa20241217002", "tags": ["Vendor Advisory"], "source": "9119a7d8-5eab-497f-8521-727c672e3725"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "9119a7d8-5eab-497f-8521-727c672e3725", "description": [{"lang": "en", "value": "CWE-603"}, {"lang": "en", "value": "CWE-807"}]}], "descriptions": [{"lang": "en", "value": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed."}, {"lang": "es", "value": "El servicio en la nube utilizado por los robots cortac\u00e9sped y aspiradores ECOVACS permite a atacantes autenticados eludir la entrada del PIN necesaria para acceder a la transmisi\u00f3n de v\u00eddeo en directo."}], "lastModified": "2025-09-23T17:34:21.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ecovacs:home:*:*:*:*:*:android:*:*", "vulnerable": true, "matchCriteriaId": "3E821D04-DCF5-41B9-8243-81A12D3A4F81", "versionEndExcluding": "3.0.2"}, {"criteria": "cpe:2.3:a:ecovacs:home:*:*:*:*:*:iphone_os:*:*", "vulnerable": true, "matchCriteriaId": "8789EBAC-69FF-4527-87EC-DC6AF83B6E9A", "versionEndExcluding": "3.0.2"}], "operator": "OR"}]}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725"}