CVE-2024-52329: ECOVACS HOME mobile app plugins do not properly validate TLS certificates

9.5 CVSS

Description

ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.

Classification

CVE ID: CVE-2024-52329

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.5

Affected Products

Vendor: ECOVACS

Product: ECOVACS HOME

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.97% (scored less or equal to compared to others)

EPSS Date: 2025-02-21 (when was this score calculated)

References

https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf
https://www.ecovacs.com/global/userhelp/dsa20241217001

Timeline

2025-01-24 00:30:29 UTC
CVE

ECOVACS HOME mobile app plugins do not properly validate TLS certificates