CVE-2024-52329

ECOVACS HOME mobile app plugins do not properly validate TLS certificates

CVSS 9.5 CRITICALEPSS 0.4%CWE-295

ECOVACS HOME mobile app plugins for specific robots do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic and obtain authentication tokens.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H

Affected products

ECOVACS · ECOVACS HOME

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf https://www.ecovacs.com/global/userhelp/dsa20241217001