CVE-2024-52328

ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the /data filesystem can delete or modify warning files such that users may not be aware that the camera is on.

CVSS v3 2.3 LOW

2.3^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 1.4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf	Exploit Third Party Advisory
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:ecovacs:deebot_n8_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_n8:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:ecovacs:deebot_900_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_900:-:*:*:*:*:*:*:*

Configuration 3 (hide)

AND

cpe:2.3:o:ecovacs:deebot_t8_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_t8:-:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:ecovacs:deebot_n9_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_n9:-:*:*:*:*:*:*:*

Configuration 5 (hide)

AND

cpe:2.3:o:ecovacs:deebot_t9_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_t9:-:*:*:*:*:*:*:*

Configuration 6 (hide)

AND

cpe:2.3:o:ecovacs:deebot_n10_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_n10:-:*:*:*:*:*:*:*

Configuration 7 (hide)

AND

cpe:2.3:o:ecovacs:deebot_t10_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_t10:-:*:*:*:*:*:*:*

Configuration 8 (hide)

AND

cpe:2.3:o:ecovacs:deebot_x1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_x1:-:*:*:*:*:*:*:*

Configuration 9 (hide)

AND

cpe:2.3:o:ecovacs:deebot_t20_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_t20:-:*:*:*:*:*:*:*

Configuration 10 (hide)

AND

cpe:2.3:o:ecovacs:deebot_x2_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:deebot_x2:-:*:*:*:*:*:*:*

Configuration 11 (hide)

AND

cpe:2.3:o:ecovacs:goat_g1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:goat_g1:-:*:*:*:*:*:*:*

Configuration 12 (hide)

AND

cpe:2.3:o:ecovacs:airbot_z1_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:airbot_z1:-:*:*:*:*:*:*:*

Configuration 13 (hide)

AND

cpe:2.3:o:ecovacs:airbot_ava_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:airbot_ava:-:*:*:*:*:*:*:*

Configuration 14 (hide)

AND

cpe:2.3:o:ecovacs:airbot_andy_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:ecovacs:airbot_andy:-:*:*:*:*:*:*:*

History

23 Sep 2025, 17:44

Type	Values Removed	Values Added
References	~~() https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf -~~	() https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf - Exploit, Third Party Advisory
References	~~() https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf -~~	() https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf - Exploit, Third Party Advisory
CPE		cpe:2.3:o:ecovacs:deebot_n10_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_t8_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_n9_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_t9_firmware:-:::::::* cpe:2.3:h:ecovacs:deebot_x2:-:::::::* cpe:2.3:h:ecovacs:airbot_ava:-:::::::* cpe:2.3:o:ecovacs:airbot_ava_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_x1_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_t10_firmware:-:::::::* cpe:2.3:h:ecovacs:deebot_n9:-:::::::* cpe:2.3:h:ecovacs:deebot_n8:-:::::::* cpe:2.3:o:ecovacs:deebot_n8_firmware:-:::::::* cpe:2.3:h:ecovacs:airbot_andy:-:::::::* cpe:2.3:o:ecovacs:deebot_x2_firmware:-:::::::* cpe:2.3:o:ecovacs:airbot_z1_firmware:-:::::::* cpe:2.3:o:ecovacs:airbot_andy_firmware:-:::::::* cpe:2.3:h:ecovacs:deebot_t20:-:::::::* cpe:2.3:h:ecovacs:deebot_t9:-:::::::* cpe:2.3:h:ecovacs:deebot_x1:-:::::::* cpe:2.3:o:ecovacs:deebot_900_firmware:-:::::::* cpe:2.3:o:ecovacs:goat_g1_firmware:-:::::::* cpe:2.3:o:ecovacs:deebot_t20_firmware:-:::::::* cpe:2.3:h:ecovacs:deebot_t8:-:::::::* cpe:2.3:h:ecovacs:deebot_n10:-:::::::* cpe:2.3:h:ecovacs:deebot_t10:-:::::::* cpe:2.3:h:ecovacs:deebot_900:-:::::::* cpe:2.3:h:ecovacs:goat_g1:-:::::::* cpe:2.3:h:ecovacs:airbot_z1:-:::::::*
First Time		Ecovacs deebot T8 Firmware Ecovacs deebot 900 Firmware Ecovacs deebot N10 Firmware Ecovacs deebot X2 Firmware Ecovacs deebot T9 Ecovacs deebot T10 Ecovacs goat G1 Ecovacs deebot T10 Firmware Ecovacs deebot T9 Firmware Ecovacs deebot 900 Ecovacs airbot Z1 Firmware Ecovacs deebot X2 Ecovacs airbot Ava Firmware Ecovacs deebot T8 Ecovacs deebot N9 Ecovacs airbot Ava Ecovacs airbot Andy Firmware Ecovacs deebot X1 Firmware Ecovacs deebot X1 Ecovacs airbot Z1 Ecovacs deebot T20 Ecovacs Ecovacs deebot N8 Firmware Ecovacs deebot T20 Firmware Ecovacs deebot N10 Ecovacs airbot Andy Ecovacs deebot N8 Ecovacs goat G1 Firmware Ecovacs deebot N9 Firmware
Summary		(es) Los robots cortacésped y aspiradores ECOVACS almacenan de forma insegura archivos de audio que se utilizan para indicar que la cámara está encendida. Un atacante con acceso al sistema de archivos /data puede eliminar o modificar los archivos de advertencia de forma que los usuarios no sepan que la cámara está encendida.

23 Jan 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-23 17:15

Updated : 2025-09-23 17:44

NVD link : CVE-2024-52328

Mitre link : CVE-2024-52328

CVE.ORG link : CVE-2024-52328

JSON object : View

Products Affected

ecovacs

airbot_andy
deebot_n9_firmware
deebot_900_firmware
deebot_t20
deebot_x2
deebot_t8_firmware
deebot_n10
goat_g1
airbot_ava_firmware
deebot_t10
deebot_x2_firmware
deebot_t8
airbot_z1_firmware
airbot_andy_firmware
deebot_n8_firmware
deebot_t9
goat_g1_firmware
deebot_n8
deebot_t9_firmware
deebot_x1
deebot_t20_firmware
airbot_z1
deebot_n10_firmware
deebot_900
deebot_n9
deebot_t10_firmware
deebot_x1_firmware
airbot_ava

CWE

CWE-732

Incorrect Permission Assignment for Critical Resource

2.3 /10