CVE-2024-52331 HIGH

CVE-2024-52331: ECOVACS lawnmowers and vacuums deterministic firmware encryption key

Vendor Ecovacs
Product Unspecified robots
Weakness CWE-494 · Download without integrity check
Published January 23, 2025
Last update October 2, 2025

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

Key dates

02Disclosure timeline

January 23, 2025 CVE published
October 2, 2025 Record updated