Deebot X2 Firmware
Monthly
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. Rated low severity (CVSS 1.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. Rated low severity (CVSS 1.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. Rated medium severity (CVSS 4.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. Rated high severity (CVSS 7.0), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.