CVE-2025-2394

Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.

CVSS

No CVSS.

References

Link	Resource
https://www.ecovacs.com/global/userhelp/dsa20250507001
https://www.themissinglink.com.au/security-advisories/cve-2025-2394

Configurations

No configuration.

History

30 Sep 2025, 11:37

Type	Values Removed	Values Added
CWE	~~CWE-522~~

23 May 2025, 15:54

Type	Values Removed	Values Added
Summary		(es) Las aplicaciones móviles Android e iOS de Ecovacs Home hasta la versión 3.3.0 contenían claves de acceso y secretos integrados para el Servicio de almacenamiento de objetos (OSS) de Alibaba, lo que provocó la divulgación de datos confidenciales.

23 May 2025, 01:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-23 01:15

Updated : 2025-09-30 11:37

NVD link : CVE-2025-2394

Mitre link : CVE-2025-2394

CVE.ORG link : CVE-2025-2394

JSON object : View

Products Affected

No product.

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2025-2394", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "vdp@themissinglink.com.au", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.7, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-23T01:15:19.240", "references": [{"url": "https://www.ecovacs.com/global/userhelp/dsa20250507001", "source": "vdp@themissinglink.com.au"}, {"url": "https://www.themissinglink.com.au/security-advisories/cve-2025-2394", "source": "vdp@themissinglink.com.au"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "vdp@themissinglink.com.au", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure."}, {"lang": "es", "value": "Las aplicaciones m\u00f3viles Android e iOS de Ecovacs Home hasta la versi\u00f3n 3.3.0 conten\u00edan claves de acceso y secretos integrados para el Servicio de almacenamiento de objetos (OSS) de Alibaba, lo que provoc\u00f3 la divulgaci\u00f3n de datos confidenciales."}], "lastModified": "2025-09-30T11:37:39.357", "sourceIdentifier": "vdp@themissinglink.com.au"}