CVE-2024-52331

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:ecovacs:deebot_900_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_900:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:ecovacs:deebot_n8_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_n8:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND
cpe:2.3:o:ecovacs:deebot_t8_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_t8:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND
cpe:2.3:o:ecovacs:deebot_n9_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_n9:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND
cpe:2.3:o:ecovacs:deebot_t9_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_t9:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND
cpe:2.3:o:ecovacs:deebot_n10_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_n10:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND
cpe:2.3:o:ecovacs:deebot_t10_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_t10:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND
cpe:2.3:o:ecovacs:deebot_x1_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_x1:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND
cpe:2.3:o:ecovacs:deebot_t20_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_t20:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND
cpe:2.3:o:ecovacs:deebot_x2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_x2:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND
cpe:2.3:o:ecovacs:goat_g1_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:goat_g1:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND
cpe:2.3:o:ecovacs:airbot_z1_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:airbot_z1:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND
cpe:2.3:o:ecovacs:airbot_ava_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:airbot_ava:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND
cpe:2.3:o:ecovacs:airbot_andy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:airbot_andy:-:*:*:*:*:*:*:*

History

02 Oct 2025, 15:15

Type Values Removed Values Added
CWE CWE-327

23 Sep 2025, 17:46

Type Values Removed Values Added
References () https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf - () https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf - Exploit, Third Party Advisory
References () https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html - () https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html - Exploit, Third Party Advisory
First Time Ecovacs deebot T20 Firmware
Ecovacs deebot T20
Ecovacs airbot Andy
Ecovacs deebot T9
Ecovacs deebot T8
Ecovacs deebot N8 Firmware
Ecovacs deebot N9 Firmware
Ecovacs airbot Ava
Ecovacs goat G1 Firmware
Ecovacs deebot N8
Ecovacs
Ecovacs deebot N9
Ecovacs airbot Z1 Firmware
Ecovacs goat G1
Ecovacs deebot T10 Firmware
Ecovacs deebot X1
Ecovacs airbot Andy Firmware
Ecovacs deebot N10 Firmware
Ecovacs airbot Z1
Ecovacs deebot X1 Firmware
Ecovacs deebot 900
Ecovacs deebot 900 Firmware
Ecovacs deebot X2 Firmware
Ecovacs deebot T10
Ecovacs deebot N10
Ecovacs deebot T8 Firmware
Ecovacs airbot Ava Firmware
Ecovacs deebot T9 Firmware
Ecovacs deebot X2
Summary
  • (es) Los robots cortacésped y aspiradores ECOVACS utilizan una clave simétrica determinista para descifrar las actualizaciones de firmware. Un atacante puede crear y cifrar un firmware malicioso que el robot descifrará e instalará con éxito.
CPE cpe:2.3:h:ecovacs:deebot_n9:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:airbot_z1:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_900_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_n10_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_x2:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:airbot_ava:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_n8_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:airbot_z1_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_x1_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:goat_g1:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_900:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_n8:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_t10_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_t9_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_n10:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_t8:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_x1:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:airbot_andy_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:airbot_ava_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_t8_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_n9_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_x2_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:airbot_andy:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:goat_g1_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_t9:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_t10:-:*:*:*:*:*:*:*
cpe:2.3:o:ecovacs:deebot_t20_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:ecovacs:deebot_t20:-:*:*:*:*:*:*:*

23 Jan 2025, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-01-23 17:15

Updated : 2025-10-02 15:15


NVD link : CVE-2024-52331

Mitre link : CVE-2024-52331

CVE.ORG link : CVE-2024-52331


JSON object : View

Products Affected

ecovacs

  • airbot_ava_firmware
  • deebot_t10_firmware
  • deebot_n9
  • deebot_n8
  • deebot_x1_firmware
  • deebot_t10
  • deebot_t8_firmware
  • deebot_900_firmware
  • deebot_x2_firmware
  • deebot_n8_firmware
  • deebot_x2
  • airbot_ava
  • deebot_n9_firmware
  • deebot_t9_firmware
  • airbot_z1_firmware
  • deebot_t20
  • deebot_900
  • deebot_t20_firmware
  • airbot_z1
  • deebot_t8
  • deebot_x1
  • deebot_t9
  • deebot_n10
  • goat_g1_firmware
  • deebot_n10_firmware
  • airbot_andy_firmware
  • airbot_andy
  • goat_g1
CWE
CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CWE-494

Download of Code Without Integrity Check

CWE-1391

Use of Weak Credentials