CVE-2024-52325

CriticalPublic PoC

Published: 23 January 2025

Published

23 January 2025

Modified

23 September 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0063 70.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52325 is a critical-severity Command Injection (CWE-77) vulnerability in Ecovacs Goat G1-2000 Firmware. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 29.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-18 (Wireless Access) and IA-3 (Device Identification and Authentication).

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-18 Wireless Access good match

prevent

Requires authorization, authentication, and encryption for wireless access, directly preventing unauthenticated BLE connections exploited in CVE-2024-52325.

SI-10 Information Input Validation good match

prevent

Enforces validation of information inputs to the SetNetPin() function, blocking command injection (CWE-77) in this CVE.

IA-3 Device Identification and Authentication good match

prevent

Mandates identification and authentication of devices before establishing connections, mitigating unauthenticated BLE access by physical proximity attackers in this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Unauthenticated command injection via SetNetPin() over BLE enables arbitrary remote command execution (T1059) through exploitation of the vulnerable remote BLE service (T1210).

NVD Description

ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.

Deeper analysisAI

CVE-2024-52325 is a command injection vulnerability (CWE-77) affecting ECOVACS robot lawnmowers and vacuums. The issue resides in the SetNetPin() function, which is exposed over an unauthenticated Bluetooth Low Energy (BLE) connection. It carries a CVSS v3.1 base score of 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

An attacker in adjacent physical proximity, within BLE range, can exploit the vulnerability with low attack complexity, no required privileges, and no user interaction. Exploitation enables command injection, achieving high impacts on confidentiality, integrity, and availability across a changed scope, potentially allowing full device compromise.

ECOVACS has issued security advisories DSA-2024-11-19 and DSA-2024-11-30-001 detailing mitigations, available at their user help portal. Further technical analysis appears in a DEFCON 32 presentation on reverse engineering and hacking ECOVACS robots, including a related YouTube recording.