Description

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.

INFO

Published Date :

2025-01-23T16:35:23.197Z

Last Modified :

2025-02-12T20:41:29.266Z

Source :

cisa-cg
AFFECTED PRODUCTS

The following products are affected by CVE-2024-52328 vulnerability.

Vendors Products
Ecovacs
  • Airbot Andy
  • Airbot Andy Firmware
  • Airbot Ava
  • Airbot Ava Firmware
  • Airbot Z1
  • Airbot Z1 Firmware
  • Deebot 900
  • Deebot 900 Firmware
  • Deebot N10
  • Deebot N10 Firmware
  • Deebot N8
  • Deebot N8 Firmware
  • Deebot N9
  • Deebot N9 Firmware
  • Deebot T10
  • Deebot T10 Firmware
  • Deebot T20
  • Deebot T20 Firmware
  • Deebot T8
  • Deebot T8 Firmware
  • Deebot T9
  • Deebot T9 Firmware
  • Deebot X1
  • Deebot X1 Firmware
  • Deebot X2
  • Deebot X2 Firmware
  • Goat G1
  • Goat G1 Firmware
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-52328.

URL Resource
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf cve-icon cve-icon
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact