CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-12078: ECOVACS lawnmowers and vacuums static BLE GATT encryption key

5.3 CVSS

Description

ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.

Classification

CVE ID: CVE-2024-12078

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.3

Affected Products

Vendor: ECOVACS

Product: Unspecified robots

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.72% (scored less or equal to compared to others)

EPSS Date: 2025-02-21 (when was this score calculated)

References

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
https://youtu.be/_wUsM0Mlenc?t=2041

Timeline

2025-01-24 00:30:16 UTC
CVE

ECOVACS lawnmowers and vacuums static BLE GATT encryption key