Description

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.

INFO

Published Date :

2025-01-23T16:37:54.479Z

Last Modified :

2025-02-12T17:07:28.749Z

Source :

cisa-cg
AFFECTED PRODUCTS

The following products are affected by CVE-2024-11147 vulnerability.

Vendors Products
Ecovacs
  • Airbot Andy
  • Airbot Andy Firmware
  • Airbot Ava
  • Airbot Ava Firmware
  • Airbot Z1
  • Airbot Z1 Firmware
  • Deebot 900
  • Deebot 900 Firmware
  • Deebot N10
  • Deebot N10 Firmware
  • Deebot N8
  • Deebot N8 Firmware
  • Deebot N9
  • Deebot N9 Firmware
  • Deebot T10
  • Deebot T10 Firmware
  • Deebot T20
  • Deebot T20 Firmware
  • Deebot T8
  • Deebot T8 Firmware
  • Deebot T9
  • Deebot T9 Firmware
  • Deebot X1
  • Deebot X1 Firmware
  • Deebot X2
  • Deebot X2 Firmware
  • Goat G1
  • Goat G1 Firmware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-11147.

URL Resource
https://builder.dontvacuum.me/ecopassword.php cve-icon cve-icon
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf cve-icon cve-icon
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact