CVE-2024-11147
Published: 23 January 2025
Summary
CVE-2024-11147 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Ecovacs Deebot 900 Firmware. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Accounts (T1078.003); ranked at the 29.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires management and protection of authenticators, prohibiting hard-coded or predictable credentials such as the deterministic root password generated from model and serial number.
AC-2 ensures system accounts like root are identified, approved, reviewed, and managed to prevent use of default or hard-coded credentials.
PE-3 enforces physical access controls to the device, mitigating the physical proximity required to obtain shell access and exploit the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability uses a deterministic root password based on model and serial number, allowing an attacker with shell access to authenticate as the root local account for privilege escalation.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
NVD Description
ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root.
Deeper analysisAI
CVE-2024-11147 is a vulnerability in ECOVACS robot lawnmowers and vacuums where a deterministic root password is generated based on the device's model and serial number. This hard-coded credential issue, classified under CWE-798 (Use of Hard-coded Credentials), allows unauthorized root access. The vulnerability received a CVSS v3.1 base score of 7.6 (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impacts with physical access required.
An attacker with physical access to the device can exploit this by obtaining shell access and logging in as root using the predictable password. No privileges, user interaction, or complex conditions are needed beyond physical proximity. Successful exploitation grants full root privileges, enabling complete control over the device, including potential data exfiltration, modification of firmware, or disruption of operations.
The vulnerability was disclosed through independent research, with details available in presentations from 37C3 2023 and HITCON 2024, as well as a password generation tool at builder.dontvacuum.me/ecopassword.php. No official advisories or patches are referenced in the available information.
Details
- CWE(s)