CVE-2024-52325

CriticalPublic PoC

Published: 23 January 2025

Published

23 January 2025

Modified

23 September 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0063 70.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

Security Summary

CVE-2024-52325 is a command injection vulnerability (CWE-77) affecting ECOVACS robot lawnmowers and vacuums. The issue resides in the SetNetPin() function, which is exposed over an unauthenticated Bluetooth Low Energy (BLE) connection. It carries a CVSS v3.1 base score of 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

An attacker in adjacent physical proximity, within BLE range, can exploit the vulnerability with low attack complexity, no required privileges, and no user interaction. Exploitation enables command injection, achieving high impacts on confidentiality, integrity, and availability across a changed scope, potentially allowing full device compromise.

ECOVACS has issued security advisories DSA-2024-11-19 and DSA-2024-11-30-001 detailing mitigations, available at their user help portal. Further technical analysis appears in a DEFCON 32 presentation on reverse engineering and hacking ECOVACS robots, including a related YouTube recording.

Details

CWE(s): CWE-77

Affected Products

ecovacs

goat g1-2000 firmware

≤ 1.36.187

ecovacs

goat g1 firmware

≤ 1.36.187

ecovacs

goat g1-800 firmware

≤ 1.36.187

ecovacs

gx-600 firmware

≤ 1.2.120

ecovacs

deebot x2 omni firmware

≤ 1.76.6

ecovacs

deebot x2 combo firmware

≤ 1.81.10

ecovacs

deebot x2s firmware

≤ 1.49.0

ecovacs

deebot x5 pro firmware

≤ 1.70.0

ecovacs

deebot x5 pro plus firmware

≤ 1.38.0

ecovacs

deebot x5 pro ultra firmware

≤ 1.17.0

+2 more product configuration(s) — see NVD for full list

MITRE ATT&CK Enterprise Techniques

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Unauthenticated command injection via SetNetPin() over BLE enables arbitrary remote command execution (T1059) through exploitation of the vulnerable remote BLE service (T1210).

References

https://dontvacuum.me/talks/DEFCON32/DEFCON32_reveng_hacking_ecovacs_robots.pdf
Exploit, Third Party Advisory · 9119a7d8-5eab-497f-8521-727c672e3725
https://www.ecovacs.com/global/userhelp/dsa20241119
Vendor Advisory · 9119a7d8-5eab-497f-8521-727c672e3725
https://www.ecovacs.com/global/userhelp/dsa20241130001
Vendor Advisory · 9119a7d8-5eab-497f-8521-727c672e3725
https://youtu.be/_wUsM0Mlenc?t=2041
Exploit · 9119a7d8-5eab-497f-8521-727c672e3725