CVE-2024-11147
Published: 23 January 2025
Description
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Security Summary
CVE-2024-11147 is a vulnerability in ECOVACS robot lawnmowers and vacuums where a deterministic root password is generated based on the device's model and serial number. This hard-coded credential issue, classified under CWE-798 (Use of Hard-coded Credentials), allows unauthorized root access. The vulnerability received a CVSS v3.1 base score of 7.6 (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with physical access required.
An attacker with physical access to the device can exploit this by obtaining shell access and logging in as root using the predictable password. No privileges, user interaction, or complex conditions are needed beyond physical proximity. Successful exploitation grants full root privileges, enabling complete control over the device, including potential data exfiltration, modification of firmware, or disruption of operations.
The vulnerability was disclosed through independent research, with details available in presentations from 37C3 2023 and HITCON 2024, as well as a password generation tool at builder.dontvacuum.me/ecopassword.php. No official advisories or patches are referenced in the available information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability uses a deterministic root password based on model and serial number, allowing an attacker with shell access to authenticate as the root local account for privilege escalation.