ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
Conclusion & alert: CVE-2024-52325 is rated High Exploit Risk (68.3/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 2.98%). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-21 | 2.85% | 2.98% | +0.13% |
| 2 | 2026-06-15 | 0.85% | 2.85% | +2.00% |
| 3 | 2026-06-14 | — | 0.85% | — |
Full EPSS history (28 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 5.8 | 4.0 | MEDIUM |
|
— | — | 9119a7d8-5eab-497f-8521-727c672e3725 |
| 9.6 | 3.1 | CRITICAL |
|
2.8 | 6.0 | 9119a7d8-5eab-497f-8521-727c672e3725 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| ecovacs | goat_g1-2000_firmware | < 1.36.187 | cpe:2.3:o:ecovacs:goat_g1-2000_firmware:*:*:*:*:*:*:*:* |
| ecovacs | goat_g1_firmware | < 1.36.187 | cpe:2.3:o:ecovacs:goat_g1_firmware:*:*:*:*:*:*:*:* |
| ecovacs | goat_g1-800_firmware | < 1.36.187 | cpe:2.3:o:ecovacs:goat_g1-800_firmware:*:*:*:*:*:*:*:* |
| ecovacs | gx-600_firmware | < 1.2.120 | cpe:2.3:o:ecovacs:gx-600_firmware:*:*:*:*:*:*:*:* |
| ecovacs | deebot_x2_omni_firmware | < 1.76.6 | cpe:2.3:o:ecovacs:deebot_x2_omni_firmware:*:*:*:*:*:*:*:* |
| ecovacs | deebot_x2_combo_firmware | < 1.81.10 | cpe:2.3:o:ecovacs:deebot_x2_combo_firmware:*:*:*:*:*:*:*:* |
| ecovacs | deebot_x2s_firmware | < 1.49.0 | cpe:2.3:o:ecovacs:deebot_x2s_firmware:*:*:*:*:*:*:*:* |
| ecovacs | deebot_x5_pro_firmware | < 1.70.0 | cpe:2.3:o:ecovacs:deebot_x5_pro_firmware:*:*:*:*:*:*:*:* |
| ecovacs | deebot_x5_pro_plus_firmware | < 1.38.0 | cpe:2.3:o:ecovacs:deebot_x5_pro_plus_firmware:*:*:*:*:*:*:*:* |
| ecovacs | deebot_x5_pro_ultra_firmware | < 1.17.0 | cpe:2.3:o:ecovacs:deebot_x5_pro_ultra_firmware:*:*:*:*:*:*:*:* |
| ecovacs | deebot_t30_omni_firmware | < 1.93.0 | cpe:2.3:o:ecovacs:deebot_t30_omni_firmware:*:*:*:*:*:*:*:* |
| ecovacs | deebot_t30s_firmware | < 1.95.0 | cpe:2.3:o:ecovacs:deebot_t30s_firmware:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf | Exploit Third Party Advisory |
| https://www.ecovacs.com/global/userhelp/dsa20241119 | Vendor Advisory |
| https://www.ecovacs.com/global/userhelp/dsa20241130001 | Vendor Advisory |
| https://youtu.be/_wUsM0Mlenc?t=2041 | Exploit |