Ecovacs Goat G1 Firmware — known CVE vulnerabilities
Every CVE whose affected-product data names Ecovacs Goat G1 Firmware, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (6)
CVE-2024-52325 — CVSS 9.6 (critical): ECOVACS robot lawnmowers and vacuums are vulnerable to command injection via SetNetPin() over an unauthenticated BLE connection.
CVE-2024-11147 — CVSS 7.6 (high): ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell…
CVE-2024-52331 — CVSS 7.5 (high): ECOVACS robot lawnmowers and vacuums use a deterministic symmetric key to decrypt firmware updates. An attacker can create and encrypt…
CVE-2024-12078 — CVSS 6.3 (medium): ECOVACS robot lawn mowers and vacuums use a shared, static secret key to encrypt BLE GATT messages. An unauthenticated attacker within BLE…
CVE-2024-12079 — CVSS 3.3 (low): ECOVACS robot lawnmowers store the anti-theft PIN in cleartext on the device filesystem. An attacker can steal a lawnmower, read the PIN…
CVE-2024-52328 — CVSS 2.3 (low): ECOVACS robot lawnmowers and vacuums insecurely store audio files used to indicate that the camera is on. An attacker with access to the…