ECOVACS DEEBOT Vacuum and Base Station (Update A)
Plan Patch7.2ICS-CERT ICSA-25-135-19May 15, 2025
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
ECOVACS DEEBOT vacuum cleaners and base stations contain vulnerabilities (CWE-321 weak cryptographic key generation, CWE-494 download of code without integrity check) that could allow an attacker with high privileges to send malicious updates or execute code on affected devices. Affected models include X1S PRO, X1 PRO OMNI, X1 OMNI, X1 TURBO, T10 Series, T20 Series, and T30 Series running firmware versions below 2.5.38, 2.4.45, 1.11.0, 1.25.0, and 1.100.0 respectively. ECOVACS has released firmware updates that have been proactively pushed to users.
What this means
What could happen
An attacker with administrative credentials could push malicious firmware updates to DEEBOT vacuums or execute code on the device and base station, potentially compromising the device and any network it connects to.
Who's at risk
This affects owners and facility managers using ECOVACS DEEBOT vacuum cleaners and base stations in homes and small businesses. The devices are consumer IoT products that connect to home or business WiFi networks. Facility managers at municipalities or utilities using robotic cleaning equipment in offices or facilities should verify if DEEBOT devices are in use on their networks.
How it could be exploited
An attacker would need to authenticate to the ECOVACS cloud service or device management interface with high-privilege credentials (such as compromised admin account or engineer credentials). Once authenticated, they could craft a malicious firmware update and send it to the device through the update mechanism, or directly execute code through an administrative interface. The device would apply the update due to the lack of proper cryptographic verification of update integrity.
Prerequisites
- Valid high-privilege administrative or engineer credentials for the ECOVACS management system or cloud service
- Network access to the ECOVACS cloud infrastructure or device management interface (typically internet-accessible)
- Device must be registered and connected to ECOVACS cloud services
High CVSS score (7.2)Affects multiple device models across product lineRequires high privilege level but weak cryptographic controls increase riskConnected to home/business network through WiFi
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (7)
7 with fix
ProductAffected VersionsFix Status
X1S PRO: <2.5.38<2.5.382.5.38 or later
X1 PRO OMNI: <2.5.38<2.5.382.5.38 or later
X1 OMNI: <2.4.45<2.4.452.4.45 or later
X1 TURBO: <2.4.45<2.4.452.4.45 or later
T10 Series: <1.11.0<1.11.01.11.0 or later
T20 Series: <1.25.0<1.25.01.25.0 or later
T30 Series: <1.100.0<1.100.01.100.0 or later
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDDo not allow DEEBOT devices to have internet connectivity unless required for cloud features; restrict access through home network firewall rules to block outbound connections from vacuum to ECOVACS cloud if not needed.
WORKAROUNDIf DEEBOT cloud integration is not required, disable cloud synchronization and update features in device settings.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected DEEBOT vacuum devices to the latest firmware version (X1S PRO and X1 PRO OMNI to 2.5.38 or later, X1 OMNI and X1 TURBO to 2.4.45 or later, T10 Series to 1.11.0 or later, T20 Series to 1.25.0 or later, T30 Series to 1.100.0 or later). Firmware updates have been proactively pushed; verify completion in device settings.
Long-term hardening
0/1HARDENINGSegment DEEBOT devices onto a separate guest or IoT network separate from systems containing sensitive data.
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/3292c19a-2d08-4663-9a14-1c9b90f0010f