CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-11147: ECOVACS lawnmowers and vacuums deterministic root password

7.6 CVSS

Description

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.

Classification

CVE ID: CVE-2024-11147

CVSS Base Severity: HIGH

CVSS Base Score: 7.6

Affected Products

Vendor: ECOVACS

Product: Unspecified robots

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.97% (scored less or equal to compared to others)

EPSS Date: 2025-02-21 (when was this score calculated)

References

https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
https://builder.dontvacuum.me/ecopassword.php

Timeline

2025-01-24 00:30:16 UTC
CVE

ECOVACS lawnmowers and vacuums deterministic root password