CVE-2024-42911

A WiFi Remote Code Execution vulnerability has been discovered in the ECOVACS Deebot T20 OMNI and T20e OMNI vacuum cleaner robots [1]. The issue affects devices running firmware versions prior to 1.24.0, and successful exploitation can lead to full remote compromise of the device [1]. The vulnerability was responsibly disclosed by researcher Eyüp Sabri Kayacan [1].

Exploitation

Exploitation is performed over WiFi under specific technical conditions [1]. While no authentication requirements or network prerequisites are explicitly detailed, the attack vector is remote and can be carried out without physical access to the device [1]. An attacker would need to be within WiFi range or have network access to the targeted robot [1].

Impact

If successfully exploited, this vulnerability grants an attacker the ability to execute arbitrary code on the affected Deebot robot [1]. This could allow an attacker to take full control of the device, potentially accessing internal sensors, microphones, and other capabilities of the robot [1].

Mitigation

ECOVACS has released firmware version 1.24.0, which contains the fix for this vulnerability [1]. For devices with automatic updates enabled, the patched firmware has been proactively pushed to all users; users can also manually complete the update by performing a system update [1]. No workarounds were provided other than applying the firmware update [1].