How to fix CVE-2025-44251?

Within 24 hours: Inventory all Deebot T10 1.7.2 devices in use and isolate them to a segregated IoT network segment if possible. Within 7 days: Contact Ecovacs support to confirm patch timeline; disable or restrict pairing functionality on affected devices until patched. Within 30 days: Implement network monitoring on IoT segments for suspicious credential transmission patterns and enforce mandatory firmware updates across all Deebot devices when patches become available.

CVE-2025-44251

EUVD-2025-21006 HIGH

Cleartext Transmission of Sensitive Information (CWE-319)

2025-07-10 [email protected]

Information Disclosure

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 16, 2026 - 06:52 vuln.today

EUVD ID Assigned

Mar 16, 2026 - 06:52 euvd

EUVD-2025-21006

CVE Published

Jul 10, 2025 - 15:15 nvd

HIGH 7.5

DescriptionNVD

Ecovacs Deebot T10 1.7.2 transmits Wi-Fi credentials in cleartext during the pairing process.

AnalysisAI

Ecovacs Deebot T10 version 1.7.2 transmits Wi-Fi credentials in cleartext during the device pairing process, allowing network-adjacent attackers to intercept sensitive authentication material without authentication or user interaction. This high-severity information disclosure vulnerability (CVSS 7.5) affects the initial device setup phase and could enable unauthorized network access or further lateral movement within the target network.

Technical ContextAI

The vulnerability stems from the implementation of the Deebot T10's Wi-Fi pairing protocol, which fails to apply encryption to credential transmission. This is a violation of CWE-319 (Cleartext Transmission of Sensitive Information), a fundamental cryptographic control failure. During pairing initialization, the mobile application or web interface communicates Wi-Fi SSID and passphrase to the device over an unencrypted channel. The affected product (CPE: ecovacs:deebot_t10 version 1.7.2) uses this cleartext transmission mechanism instead of standard approaches like TLS/SSL wrapping, certificate pinning, or pre-shared key derivation for the pairing handshake. The root cause is insufficient security in the device-to-mobile communication protocol during the setup phase, likely implemented before secure channel establishment.

RemediationAI

Upgrade Deebot T10 firmware to version 1.7.3 or later (assuming patches are available from Ecovacs). Check Ecovacs support portal or mobile app for firmware update availability.; priority: CRITICAL Workaround - Network Segmentation: Isolate Deebot T10 devices on a dedicated IoT VLAN separate from corporate workstations and sensitive systems. Perform pairing in a controlled, isolated network environment before connecting to production networks. Restrict network access to the device post-pairing.; priority: HIGH Workaround - Access Control: Limit Wi-Fi network access during pairing to authorized users only. Disable Wi-Fi broadcast (hide SSID) temporarily if possible. Use 5 GHz Wi-Fi for pairing to reduce broadcast range and exposure window.; priority: MEDIUM Detection: Monitor network traffic for cleartext Wi-Fi credential transmission during Deebot pairing. Deploy network IDS rules to alert on unencrypted credential patterns. Audit Wi-Fi access logs for unauthorized pairing attempts.; priority: MEDIUM Vendor Advisory: Contact Ecovacs support for security advisory and patched firmware release notes. Check for CVE-2025-44251 patches in official channels.; priority: HIGH

CVE-2025-44251 vulnerability details – vuln.today

Back

CVE-2025-44251

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code