Goat G1 Firmware Security Vulnerabilities and Issues — Goat G1 Firmware CVE List

Lucene search

EcovacsGoat G1 Firmware

6 matches found

CVE•added 2025/01/23 5:15 p.m.•39 views

CVE-2024-11147

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.

7.6CVSS7.6AI score0.00097EPSS

CVE•added 2025/01/23 5:15 p.m.•39 views

CVE-2024-52328

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.

2.3CVSS3.7AI score0.00027EPSS

CVE•added 2025/01/23 5:15 p.m.•39 views

CVE-2024-52331

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

7.7CVSS7.5AI score0.00038EPSS

CVE•added 2025/01/23 5:15 p.m.•37 views

CVE-2024-12078

ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.

6.3CVSS6.4AI score0.00045EPSS

CVE•added 2025/01/23 4:15 p.m.•37 views

CVE-2024-52325

ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.

9.6CVSS9.8AI score0.02378EPSS

CVE•added 2025/01/23 5:15 p.m.•36 views

CVE-2024-12079

ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN, and reset the anti-theft mechanism.

4.8CVSS4AI score0.00013EPSS