ECOVACS DEEBOT Vacuum and Base Station (Update A)

Plan PatchCVSS 7.2ICS-CERT ICSA-25-135-19May 15, 2025

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

ECOVACS DEEBOT vacuums and base stations contain vulnerabilities (CWE-321, CWE-494) that allow an attacker with high privileges to send malicious updates to the devices and execute code on them. Affected models include X1S PRO, X1 PRO OMNI, X1 OMNI, X1 TURBO, and T10/T20/T30 series devices. ECOVACS has released firmware updates for all affected products and has proactively pushed updates to users. Devices supporting automatic updates will receive notifications and can be updated through the standard system update process.

What this means

What could happen

An attacker with high privileges could push malicious firmware updates to ECOVACS vacuums and base stations, achieving code execution on the device. This could compromise the integrity of the device's operation and potentially expose network information from the connected home or facility.

Who's at risk

Organizations and individuals using ECOVACS DEEBOT vacuum cleaners and base stations across all model lines (X1 series, T10/T20/T30 series). This affects household and small business deployments where these devices are connected to home or facility networks.

How it could be exploited

An attacker with administrative or high-level credentials could trigger the update mechanism to inject and execute malicious firmware on the device. The vulnerability requires network access to the device or its update infrastructure, plus elevated privileges to initiate the malicious update.

Prerequisites

High-level privileges (administrative or update authorization)
Network access to the device or its update infrastructure

Remotely exploitableHigh privileges required to exploitMalicious update injection possibleCode execution capability

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

X1S PRO: <2.5.38<2.5.382.5.38+

X1 PRO OMNI: <2.5.38<2.5.382.5.38+

X1 OMNI: <2.4.45<2.4.452.4.45+

X1 TURBO: <2.4.45<2.4.452.4.45+

T10 Series: <1.11.0<1.11.01.11.0+

T20 Series: <1.25.0<1.25.01.25.0+

T30 Series: <1.100.0<1.100.01.100.0+

Remediation & Mitigation

0/8

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate X1S PRO devices to firmware version 2.5.38 or later

HOTFIXUpdate X1 PRO OMNI devices to firmware version 2.5.38 or later

HOTFIXUpdate X1 OMNI devices to firmware version 2.4.45 or later

HOTFIXUpdate X1 TURBO devices to firmware version 2.4.45 or later

HOTFIXUpdate T10 Series devices to firmware version 1.11.0 or later

HOTFIXUpdate T20 Series devices to firmware version 1.25.0 or later

HOTFIXUpdate T30 Series devices to firmware version 1.100.0 or later

Long-term hardening

0/1

HARDENINGRestrict network access to ECOVACS devices by placing them behind a firewall and isolating them from business networks

CVEs (3)

CVE-2025-30198 CVE-2025-30199 CVE-2025-30200

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3292c19a-2d08-4663-9a14-1c9b90f0010f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.