CVE-2025-2394 MEDIUM

CVE-2025-2394: Disclosure of Alibaba (OSS) Keys In Ecovacs Home Android and iOS Mobile Applications

Vendor Ecovacs
Product Ecovacs Mobile and Android Application
Weakness CWE-798 · Hardcoded credentials
Published May 23, 2025
Last update September 30, 2025

CVSS base score

4.7/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Ecovacs Home Android and iOS Mobile Applications up to version 3.3.0 contained embedded access keys and secrets for Alibaba Object Storage Service (OSS), leading to sensitive data disclosure.

Key dates

02Disclosure timeline

May 23, 2025 CVE published
September 30, 2025 Record updated