CVE-2024-52330

Name: CVE-2024-52330
Creator: NVD / NIST
Published: 2025-01-23T17:15:14.427+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.5/10EPSS 0.33%

Last modified Jun 17, 2026

CVE-2024-52330 is a critical-severity vulnerability rated 9.5/10 on the CVSS scale. ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.. EPSS estimates a 0.33% chance of exploitation in the next 30 days.

Description

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

Metrics

CVSS 3.1

7.4/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS 4.0

9.5/10

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS Probability

0.33%

25.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-295

Affected Software

Vendor	Product	Versions
Ecovacs	Deebot X2 Omni Firmware	< 1.76.6
Ecovacs	Deebot X2 Combo Firmware	< 1.81.10
Ecovacs	Deebot X2s Firmware	< 1.49.0
Ecovacs	Deebot X5 Pro Firmware	< 1.70.0
Ecovacs	Deebot X5 Pro Plus Firmware	< 1.38.0
Ecovacs	Deebot X5 Pro Ultra Firmware	< 1.17.0
Ecovacs	Mate X Firmware	< 1.44.18
Ecovacs	Deebot X1 Omni Firmware	< 2.4.41
Ecovacs	Deebot X1 Turbo Firmware	< 2.4.41
Ecovacs	Deebot X1 Pro Omni Firmware	< 2.4.41
Ecovacs	Deebot X1 Firmware	< 1.7.3
Ecovacs	Deebot X1 Plus Firmware	< 1.7.3
Ecovacs	Deebot X1s Pro Firmware	< 2.5.31
Ecovacs	Deebot X1s Pro Plus Firmware	< 1.23.0
Ecovacs	Deebot X1e Omni Firmware	< 2.4.42
Ecovacs	Deebot T10 Turbo Firmware	< 1.10.0
Ecovacs	Deebot T10 Plus Firmware	< 1.7.5
Ecovacs	Deebot T10 Firmware	< 1.7.5
Ecovacs	Deebot T10 Omni Firmware	< 1.9.0
Ecovacs	Deebot X2 Pro Firmware	< 1.76.6

References

https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdfExploit, Third Party Advisory
https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdfExploit, Third Party Advisory
https://www.ecovacs.com/global/userhelp/dsa20241217001Vendor Advisory

Timeline

Published: Jan 23, 2025
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-52330?

ECOVACS lawnmowers and vacuums do not properly validate TLS certificates. An unauthenticated attacker can read or modify TLS traffic, possibly modifying firmware updates.

How severe is CVE-2024-52330?

CVE-2024-52330 has a CVSS score of 9.5/10 (CRITICAL severity). The EPSS model estimates a 0.33% probability of exploitation in the next 30 days.

How do I fix CVE-2024-52330?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-52330?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST