CVE-2025-30199
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-09-23
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ecovacs | deebot_x1s_pro_firmware | to 2.5.38 (exc) |
| ecovacs | deebot_x1s_pro | * |
| ecovacs | deebot_x1_pro_omni_firmware | to 2.5.38 (exc) |
| ecovacs | deebot_x1_pro_omni | * |
| ecovacs | deebot_x1_omni_firmware | to 2.4.45 (exc) |
| ecovacs | deebot_x1_omni | * |
| ecovacs | deebot_x1s_pro_firmware | to 2.4.45 (exc) |
| ecovacs | deebot_x1s_pro | * |
| ecovacs | deebot_x1_turbo_firmware | to 2.5.38 (exc) |
| ecovacs | deebot_x1_turbo | * |
| ecovacs | deebot_x1s_pro_firmware | to 2.4.45 (exc) |
| ecovacs | deebot_x1s_pro | * |
| ecovacs | deebot_t10_firmware | to 1.11.0 (exc) |
| ecovacs | deebot_t10 | * |
| ecovacs | deebot_t10_omni_firmware | to 1.11.0 (exc) |
| ecovacs | deebot_t10_omni | * |
| ecovacs | deebot_t10_plus_firmware | to 1.11.0 (exc) |
| ecovacs | deebot_t10_plus | * |
| ecovacs | deebot_t10_turbo_firmware | to 1.11.0 (exc) |
| ecovacs | deebot_t10_turbo | * |
| ecovacs | deebot_t20_omni_firmware | to 1.25.0 (exc) |
| ecovacs | deebot_t20_omni | * |
| ecovacs | deebot_t20_pro_plus_firmware | to 1.25.0 (exc) |
| ecovacs | deebot_t20_pro_plus | * |
| ecovacs | deebot_t20_pro_firmware | to 1.25.0 (exc) |
| ecovacs | deebot_t20_pro | * |
| ecovacs | deebot_t30_omni_firmware | to 1.100.0 (exc) |
| ecovacs | deebot_t30_omni | * |
| ecovacs | deebot_t30s_firmware | to 1.100.0 (exc) |
| ecovacs | deebot_t30s | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-494 | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists because ECOVACS vacuum robot base stations do not validate firmware updates. As a result, an attacker can send malicious over-the-air firmware updates to the base station through the insecure connection between the robot and the base station.
How can this vulnerability impact me? :
The vulnerability can lead to a complete compromise of the base station, allowing an attacker to execute malicious code, potentially causing high impact on confidentiality, integrity, and availability of the device and its data.