ecovacs 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
Historical issues mainly involve vendor risk command injection and related security problems, affecting vendor surface production workloads and vendor surface software deployment scenarios.
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-30200 | ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived. | 9119a7d8-5eab-497f-8521-727c672e3725 | 2.3 | 0.13% | 2025-09-05 | 2026-06-17 |
| CVE-2025-30199 | ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.5 | 0.27% | 2025-09-05 | 2026-06-17 |
| CVE-2025-30198 | ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived. | 9119a7d8-5eab-497f-8521-727c672e3725 | 2.3 | 0.20% | 2025-09-05 | 2026-06-17 |
| CVE-2024-52331 | ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.7 | 0.20% | 2025-01-23 | 2026-06-17 |
| CVE-2024-52330 | ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.5 | 0.32% | 2025-01-23 | 2026-06-17 |
| CVE-2024-52329 | ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.5 | 0.35% | 2025-01-23 | 2026-06-17 |
| CVE-2024-52328 | ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on. | 9119a7d8-5eab-497f-8521-727c672e3725 | 1.8 | 0.20% | 2025-01-23 | 2026-06-17 |
| CVE-2024-52327 | The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed. | 9119a7d8-5eab-497f-8521-727c672e3725 | 6.0 | 0.46% | 2025-01-23 | 2026-06-17 |
| CVE-2024-12079 | ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.14% | 2025-01-23 | 2026-06-17 |
| CVE-2024-12078 | ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.3 | 0.31% | 2025-01-23 | 2026-06-17 |
| CVE-2024-11147 | ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.0 | 0.38% | 2025-01-23 | 2026-06-17 |
| CVE-2024-52325 | ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.8 | 2.98% | 2025-01-23 | 2026-06-17 |