Aggregates CVE and security vulnerability intelligence across all ecovacs-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk command injection and related security problems, affecting vendor surface production workloads and vendor surface software deployment scenarios.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-30200 | ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic AES encryption key, which can be easily derived. | 9119a7d8-5eab-497f-8521-727c672e3725 | 2.3 | 0.01% | 2025-09-05 | 2025-09-23 |
| CVE-2025-30199 | ECOVACS vacuum robot base stations do not validate firmware updates, so malicious over-the-air updates can be sent to base station via insecure connection between robot and base station. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.5 | 0.02% | 2025-09-05 | 2025-09-23 |
| CVE-2025-30198 | ECOVACS robot vacuums and base stations communicate via an insecure Wi-Fi network with a deterministic WPA2-PSK, which can be easily derived. | 9119a7d8-5eab-497f-8521-727c672e3725 | 2.3 | 0.01% | 2025-09-05 | 2025-09-23 |
| CVE-2024-52331 | ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.7 | 0.11% | 2025-01-23 | 2025-10-02 |
| CVE-2024-52330 | ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.5 | 0.66% | 2025-01-23 | 2025-09-23 |
| CVE-2024-52329 | ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.5 | 0.67% | 2025-01-23 | 2025-09-23 |
| CVE-2024-52328 | ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on. | 9119a7d8-5eab-497f-8521-727c672e3725 | 1.8 | 0.04% | 2025-01-23 | 2025-09-23 |
| CVE-2024-52327 | The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed. | 9119a7d8-5eab-497f-8521-727c672e3725 | 6.0 | 0.11% | 2025-01-23 | 2025-09-23 |
| CVE-2024-12079 | ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism. | 9119a7d8-5eab-497f-8521-727c672e3725 | 4.8 | 0.04% | 2025-01-23 | 2025-09-23 |
| CVE-2024-12078 | ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.3 | 0.05% | 2025-01-23 | 2025-09-23 |
| CVE-2024-11147 | ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.0 | 0.12% | 2025-01-23 | 2025-09-23 |
| CVE-2024-52325 | ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection. | 9119a7d8-5eab-497f-8521-727c672e3725 | 5.8 | 0.63% | 2025-01-23 | 2025-09-23 |