CVE-2024-52328

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.

CVSS v3 2.3 LOW

2.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf	Exploit Third Party Advisory
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:ecovacs:deebot_n8_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_n8:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:ecovacs:deebot_900_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_900:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:ecovacs:deebot_t8_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_t8:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:ecovacs:deebot_n9_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_n9:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:ecovacs:deebot_t9_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_t9:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:ecovacs:deebot_n10_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_n10:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:ecovacs:deebot_t10_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_t10:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:ecovacs:deebot_x1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_x1:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:ecovacs:deebot_t20_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_t20:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:ecovacs:deebot_x2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_x2:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:ecovacs:goat_g1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:goat_g1:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:ecovacs:airbot_z1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:airbot_z1:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:ecovacs:airbot_ava_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:airbot_ava:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:ecovacs:airbot_andy_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:airbot_andy:-:*:*:*:*:*:*:*

History

23 Sep 2025, 17:44

Type	Values Removed	Values Added
References	~~() https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf -~~	() https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf - Exploit, Third Party Advisory
References	~~() https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf -~~	() https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf - Exploit, Third Party Advisory
First Time		Ecovacs deebot T20 Firmware Ecovacs deebot T20 Ecovacs airbot Andy Ecovacs deebot T9 Ecovacs deebot T8 Ecovacs deebot N8 Firmware Ecovacs deebot N9 Firmware Ecovacs airbot Ava Ecovacs goat G1 Firmware Ecovacs deebot N8 Ecovacs Ecovacs deebot N9 Ecovacs airbot Z1 Firmware Ecovacs goat G1 Ecovacs deebot T10 Firmware Ecovacs deebot X1 Ecovacs airbot Andy Firmware Ecovacs deebot N10 Firmware Ecovacs airbot Z1 Ecovacs deebot X1 Firmware Ecovacs deebot 900 Ecovacs deebot 900 Firmware Ecovacs deebot X2 Firmware Ecovacs deebot T10 Ecovacs deebot N10 Ecovacs deebot T8 Firmware Ecovacs airbot Ava Firmware Ecovacs deebot T9 Firmware Ecovacs deebot X2
Summary		(es) Los robots cortacésped y aspiradores ECOVACS almacenan de forma insegura archivos de audio que se utilizan para indicar que la cámara está encendida. Un atacante con acceso al sistema de archivos /data puede eliminar o modificar los archivos de advertencia de forma que los usuarios no sepan que la cámara está encendida.
CPE		cpe:2.3:h:ecovacs:deebot_n9:-:::::::* cpe:2.3:h:ecovacs:airbot_z1:-:::::::* cpe:2.3:o:ecovacs:deebot_900_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_n10_firmware:-:::::::* cpe:2.3:h:ecovacs:deebot_x2:-:::::::* cpe:2.3:h:ecovacs:airbot_ava:-:::::::* cpe:2.3:o:ecovacs:deebot_n8_firmware:-:::::::* cpe:2.3:o:ecovacs:airbot_z1_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_x1_firmware:-:::::::* cpe:2.3:h:ecovacs:goat_g1:-:::::::* cpe:2.3:h:ecovacs:deebot_900:-:::::::* cpe:2.3:h:ecovacs:deebot_n8:-:::::::* cpe:2.3:o:ecovacs:deebot_t10_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_t9_firmware:-:::::::* cpe:2.3:h:ecovacs:deebot_n10:-:::::::* cpe:2.3:h:ecovacs:deebot_t8:-:::::::* cpe:2.3:h:ecovacs:deebot_x1:-:::::::* cpe:2.3:o:ecovacs:airbot_andy_firmware:-:::::::* cpe:2.3:o:ecovacs:airbot_ava_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_t8_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_n9_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_x2_firmware:-:::::::* cpe:2.3:h:ecovacs:airbot_andy:-:::::::* cpe:2.3:o:ecovacs:goat_g1_firmware:-:::::::* cpe:2.3:h:ecovacs:deebot_t9:-:::::::* cpe:2.3:h:ecovacs:deebot_t10:-:::::::* cpe:2.3:o:ecovacs:deebot_t20_firmware:-:::::::* cpe:2.3:h:ecovacs:deebot_t20:-:::::::*

23 Jan 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-23 17:15

Updated : 2025-09-23 17:44

NVD link : CVE-2024-52328

Mitre link : CVE-2024-52328

CVE.ORG link : CVE-2024-52328

JSON object : View

Products Affected

ecovacs

deebot_x2_firmware
airbot_ava_firmware
deebot_t9_firmware
deebot_t9
airbot_z1
deebot_900
deebot_n8_firmware
deebot_x1
deebot_n9
airbot_andy
deebot_t8
deebot_t20
deebot_n9_firmware
deebot_n10_firmware
deebot_t10_firmware
airbot_ava
deebot_n8
goat_g1
deebot_n10
deebot_x2
deebot_t20_firmware
goat_g1_firmware
deebot_t8_firmware
deebot_t10
airbot_z1_firmware
deebot_x1_firmware
deebot_900_firmware
airbot_andy_firmware

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

2.3 /10