Vulnerability Description
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ecovacs | Deebot N8 Firmware | - |
| Ecovacs | Deebot N8 | - |
| Ecovacs | Deebot 900 Firmware | - |
| Ecovacs | Deebot 900 | - |
| Ecovacs | Deebot T8 Firmware | - |
| Ecovacs | Deebot T8 | - |
| Ecovacs | Deebot N9 Firmware | - |
| Ecovacs | Deebot N9 | - |
| Ecovacs | Deebot T9 Firmware | - |
| Ecovacs | Deebot T9 | - |
| Ecovacs | Deebot N10 Firmware | - |
| Ecovacs | Deebot N10 | - |
| Ecovacs | Deebot T10 Firmware | - |
| Ecovacs | Deebot T10 | - |
| Ecovacs | Deebot X1 Firmware | - |
| Ecovacs | Deebot X1 | - |
| Ecovacs | Deebot T20 Firmware | - |
| Ecovacs | Deebot T20 | - |
| Ecovacs | Deebot X2 Firmware | - |
| Ecovacs | Deebot X2 | - |
Related Weaknesses (CWE)
References
- https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdfExploitThird Party Advisory
- https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdfExploitThird Party Advisory
FAQ
What is CVE-2024-52328?
CVE-2024-52328 is a vulnerability with a CVSS score of 2.3 (LOW). ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that u...
How severe is CVE-2024-52328?
CVE-2024-52328 has been rated LOW with a CVSS base score of 2.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-52328?
Check the references section above for vendor advisories and patch information. Affected products include: Ecovacs Deebot N8 Firmware, Ecovacs Deebot N8, Ecovacs Deebot 900 Firmware, Ecovacs Deebot 900, Ecovacs Deebot T8 Firmware.