CVE-2024-52327
Published: 23 January 2025
Summary
CVE-2024-52327 is a medium-severity Use of Client-Side Authentication (CWE-603) vulnerability in Ecovacs Home. Its CVSS base score is 6.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Video Capture (T1125); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-46256
Vulnerability details
The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the ECOVACS cloud service enables authenticated attackers to bypass PIN authentication and access live video feeds from robot devices, facilitating Video Capture (T1125) and Exploitation of Remote Services (T1210).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Prevents reliance on untrusted matching results for security-relevant decisions by enforcing verification and contest procedures.
Providing authoritative attributes with the data reduces the need for security decisions to rely on untrusted external inputs.
Reduces reliance on untrusted inputs by ensuring only authorized sources may supply data.