CVE-2024-52331
Published: 23 January 2025
Summary
CVE-2024-52331 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Ecovacs Deebot 900 Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Implant Internal Image (T1525); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Mobile/Edge AI; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-14 (Signed Components) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-7 requires integrity verification mechanisms such as digital signatures or hashes for firmware, preventing installation of attacker-crafted malicious firmware despite successful decryption with the deterministic key.
CM-14 mandates the use of signed firmware components from trusted sources, ensuring only authentic updates are installed even if encrypted with a known symmetric key.
SC-12 enforces cryptographic key establishment and management practices that prohibit deterministic or predictable symmetric keys, blocking attackers from crafting validly decrypting malicious firmware.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables crafting malicious firmware updates using known symmetric key, facilitating implanting code in firmware images (T1525), component firmware modification for persistence (T1542.002), patching system images (T1601.001), and collection via unauthorized camera/microphone access (T1123, T1125) as noted in advisories.
NVD Description
ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt malicious firmware that will be successfully decrypted and installed by the robot.
Deeper analysisAI
CVE-2024-52331 is a vulnerability in ECOVACS robot lawnmowers and vacuums that stems from the use of a deterministic symmetric key for decrypting firmware updates. This design flaw enables an attacker to craft malicious firmware, encrypt it with the known key, and have it successfully decrypted and installed by the affected device. Published on 2025-01-23, the issue carries a CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWEs-327 (Broken or Risky Cryptographic Algorithm), CWE-494 (Download of Code Without Integrity Check), and CWE-1391 (Use of Weak Cryptographic Primitive).
Exploitation requires network access with no privileges, but involves high attack complexity and user interaction, such as tricking a device owner into applying the attacker's firmware update. Successful exploitation grants high impacts on confidentiality, integrity, and availability, allowing full compromise of the robot's firmware and potentially enabling persistent control, data exfiltration, or physical manipulation of the device.
The vulnerability was detailed in security research presentations, including one from 37C3 2023 at https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf and another from HITCON 2024 at https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.html. No specific advisories or patches are referenced in available information.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Mobile/Edge AI
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- ECOVACS robot lawnmowers and vacuums are edge AI devices that utilize computer vision, machine learning for navigation, mapping, and obstacle avoidance via cameras and sensors. The firmware update vulnerability affects the deployment of software on these AI-enabled robotic platforms.