CVE-2025-30200
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-09-23
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ecovacs | deebot_x1s_pro_firmware | to 2.5.38 (exc) |
| ecovacs | deebot_x1s_pro | * |
| ecovacs | deebot_x1_pro_omni_firmware | to 2.5.38 (exc) |
| ecovacs | deebot_x1_pro_omni | * |
| ecovacs | deebot_x1_omni_firmware | to 2.4.45 (exc) |
| ecovacs | deebot_x1_omni | * |
| ecovacs | deebot_x1s_pro_firmware | to 2.4.45 (exc) |
| ecovacs | deebot_x1s_pro | * |
| ecovacs | deebot_x1_turbo_firmware | to 2.5.38 (exc) |
| ecovacs | deebot_x1_turbo | * |
| ecovacs | deebot_x1s_pro_firmware | to 2.4.45 (exc) |
| ecovacs | deebot_x1s_pro | * |
| ecovacs | deebot_t10_firmware | to 1.11.0 (exc) |
| ecovacs | deebot_t10 | * |
| ecovacs | deebot_t10_omni_firmware | to 1.11.0 (exc) |
| ecovacs | deebot_t10_omni | * |
| ecovacs | deebot_t10_plus_firmware | to 1.11.0 (exc) |
| ecovacs | deebot_t10_plus | * |
| ecovacs | deebot_t10_turbo_firmware | to 1.11.0 (exc) |
| ecovacs | deebot_t10_turbo | * |
| ecovacs | deebot_t20_omni_firmware | to 1.25.0 (exc) |
| ecovacs | deebot_t20_omni | * |
| ecovacs | deebot_t20_pro_plus_firmware | to 1.25.0 (exc) |
| ecovacs | deebot_t20_pro_plus | * |
| ecovacs | deebot_t20_pro_firmware | to 1.25.0 (exc) |
| ecovacs | deebot_t20_pro | * |
| ecovacs | deebot_t30_omni_firmware | to 1.100.0 (exc) |
| ecovacs | deebot_t30_omni | * |
| ecovacs | deebot_t30s_firmware | to 1.100.0 (exc) |
| ecovacs | deebot_t30s | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
| CWE-321 | The product uses a hard-coded, unchangeable cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability could allow an attacker to intercept, eavesdrop, or manipulate the communication between the robot vacuum and its base station. This could lead to unauthorized access to device functions or data, potentially compromising the security and privacy of the user.
Can you explain this vulnerability to me?
This vulnerability involves ECOVACS robot vacuums and their base stations communicating over an insecure Wi-Fi network using a deterministic AES encryption key. Because the key is deterministic and can be easily derived, an attacker could potentially intercept or manipulate the communication between the devices.