Deebot X1 Firmware Security Vulnerabilities and Issues — Deebot X1 Firmware CVE List

Lucene search

EcovacsDeebot X1 Firmware

6 matches found

CVE•added 2025/01/23 5:15 p.m.•43 views

CVE-2024-52330

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

9.5CVSS7.5AI score0.00049EPSS

CVE•added 2025/01/23 5:15 p.m.•39 views

CVE-2024-11147

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.

7.6CVSS7.6AI score0.00097EPSS

CVE•added 2025/01/23 5:15 p.m.•39 views

CVE-2024-52328

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.

2.3CVSS3.7AI score0.00027EPSS

CVE•added 2025/01/23 5:15 p.m.•39 views

CVE-2024-52331

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

7.7CVSS7.5AI score0.00038EPSS

CVE•added 2025/01/23 5:15 p.m.•37 views

CVE-2024-12078

ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.

6.3CVSS6.4AI score0.00045EPSS

CVE•added 2025/01/23 5:15 p.m.•36 views

CVE-2024-12079

ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.

4.8CVSS4AI score0.00013EPSS