Ecovacs Deebot: Attackers can inject arbitrary code
Details of security vulnerabilities in Ecovac's Deebot have been published: Arbitrary code can be injected. Updates are available.
(Image: Diego Cervo/Shutterstock.com)
Vulnerability descriptions from the weekend discuss high-risk security gaps in robot vacuum cleaners from Ecovacs. Updates have been available for the affected Deebot models for some time to seal the security leaks. Owners should ensure that the base stations and vacuum robots are updated.
The US IT security authority CISA had already published an updated security bulletin describing the vulnerabilities in July. The most serious vulnerability concerns the base stations of the robot vacuums. These do not validate firmware updates, meaning that malicious over-the-air updates can be sent to the base station via an insecure connection between the robot vacuum and the base station (CVE-2025-30199 / EUVD-2025-27021, CVSS4 8.6, risk “high”).
Two other vulnerabilities receive a lower risk rating. Firstly, the Ecovacs devices use a hard-coded cryptographic key with which the robot and base establish a WPA2-PSK-protected Wi-Fi connection with each other – the key can be easily derived from the device serial number (CVE-2025-30198 / EUVD-2025-27020, CVSS4 5.3, risk “medium”). However, the same also applies to an AES-encrypted connection between the devices (CVE-2025-30200 / EUVD-2025-27023, CVSS4 5.3,“medium” risk).
Vulnerabilities known for some time
The vulnerabilities were initially reported by Ecovacs on May 8. Firmware updates were then available for affected devices in July. The listed errors have been corrected in the versions 2.5.38 for X1S Pro and X1 Pro Omni, 2.4.45 for the X1 Omni and Turbo, 1.11.0 for the T10 series, 1.25.0 for the T20 series, and 1.100.0 for the T30 series of Deebot vacuum robots and base stations. The CVE vulnerability entries were published on the weekend.
Videos by heise
Normally, the automatic update should have already offered the corresponding firmwares. However, anyone who has not yet installed the updates should do so immediately.
Towards the end of 2024, there were takeovers, particularly of Ecovacs vacuum cleaner robots in the USA. The attackers played screaming obscenities and racist abuse over the built-in speakers.
(dmk)
