Cyber Resilience

CVE-2024-52331

HighPublic PoC

Published: 23 January 2025

Published
23 January 2025
Modified
02 October 2025
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0008 24.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-52331 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Ecovacs Deebot 900 Firmware. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Implant Internal Image (T1525); ranked at the 24.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-12 (Cryptographic Key Establishment and Management).

Deeper analysis

CVE-2024-52331 is a vulnerability in ECOVACS robot lawnmowers and vacuums that stems from the use of a deterministic symmetric key for decrypting firmware updates. This design flaw enables an attacker to craft malicious firmware, encrypt it with the known key, and have it successfully decrypted and installed by the affected device. Published on 2025-01-23, the issue carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWEs-327 (Broken or Risky Cryptographic Algorithm), CWE-494 (Download of Code Without Integrity Check), and CWE-1391 (Use of Weak Cryptographic Primitive).

Exploitation requires network access with no privileges, but involves high attack complexity and user interaction, such as tricking a device owner into applying the attacker's firmware update. Successful exploitation grants high impacts on confidentiality, integrity, and availability, allowing full compromise of the robot's firmware and potentially enabling persistent control, data exfiltration, or physical manipulation of the device.

The vulnerability was detailed in security research presentations, including one from 37C3 2023 at https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf and another from HITCON 2024 at https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html. No specific advisories or patches are referenced in available information.

EU & UK References

Vulnerability details

ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1525 Implant Internal Image Persistence
Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment.
T1542.002 Component Firmware Stealth
Adversaries may modify component firmware to persist on systems.
T1601.001 Patch System Image Defense Impairment
Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.
T1123 Audio Capture Collection
An adversary can leverage a computer's peripheral devices (e.
T1125 Video Capture Collection
An adversary can leverage a computer's peripheral devices (e.
Why these techniques?

Vulnerability enables crafting malicious firmware updates using known symmetric key, facilitating implanting code in firmware images (T1525), component firmware modification for persistence (T1542.002), patching system images (T1601.001), and collection via unauthorized camera/microphone access (T1123, T1125) as noted in advisories.

CVEs Like This One

CVE-2024-11147Same product: Ecovacs Airbot Andy
CVE-2024-52330Same product: Ecovacs Deebot T10
CVE-2024-52325Same product: Ecovacs Goat G1
CVE-2024-52329Same vendor: Ecovacs
CVE-2026-5588Shared CWE-327
CVE-2024-50696Shared CWE-494
CVE-2025-1058Shared CWE-494
CVE-2025-66597Shared CWE-327
CVE-2026-28252Shared CWE-327
CVE-2025-68698Shared CWE-327

Affected Assets

ecovacs
deebot 900 firmware
all versions
ecovacs
deebot n8 firmware
all versions
ecovacs
deebot t8 firmware
all versions
ecovacs
deebot n9 firmware
all versions
ecovacs
deebot t9 firmware
all versions
ecovacs
deebot n10 firmware
all versions
ecovacs
deebot t10 firmware
all versions
ecovacs
deebot x1 firmware
all versions
ecovacs
deebot t20 firmware
all versions
ecovacs
deebot x2 firmware
all versions
+4 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-7 requires integrity verification mechanisms such as digital signatures or hashes for firmware, preventing installation of attacker-crafted malicious firmware despite successful decryption with the deterministic key.

prevent

CM-14 mandates the use of signed firmware components from trusted sources, ensuring only authentic updates are installed even if encrypted with a known symmetric key.

prevent

SC-12 enforces cryptographic key establishment and management practices that prohibit deterministic or predictable symmetric keys, blocking attackers from crafting validly decrypting malicious firmware.

References