CVE-2024-12078 MEDIUM

CVE-2024-12078: ECOVACS lawnmowers and vacuums static BLE GATT encryption key

Vendor Ecovacs
Product Unspecified robots
Weakness CWE-321
Published January 23, 2025
Last update February 12, 2025

CVSS base score

5.3/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE range can control any robot using the same key.

Key dates

02Disclosure timeline

January 23, 2025 CVE published
February 12, 2025 Record updated