ECOVACS Robotics has addressed a critical remote code execution (RCE) vulnerability affecting its Deebot series robot vacuums. The vulnerability, identified as CVE-2024-42911, could allow attackers to remotely compromise vulnerable devices under specific technical conditions.
“A WiFi Remote Code Execution vulnerability has been identified in ECOVACS’ Deebot product series. Under specific technical conditions, successful exploitation of this vulnerability could allow an attacker to remotely compromise the affected devices,” reads the security advisory.
Details about the vulnerability are limited, but ECOVACS has confirmed that it was discovered by security researcher Eyüp Sabri Kayacan. The company has expressed gratitude for Kayacan’s contribution to the security of their products.
Affected Products and Patched Versions:
- T20 OMNI – 1.24.0
- T20e OMNI – 1.24.0
ECOVACS has taken proactive steps to address the vulnerability by automatically pushing the update to all users. Users can complete the fix by simply performing the system update on their affected devices.
Recommendations:
- Update Immediately: If you own a T20 OMNI or T20e OMNI Deebot, ensure your device is updated to the latest firmware version (1.24.0 or higher).
- Enable Automatic Updates: Turn on automatic updates to ensure your robot vacuum receives future security patches promptly.
- Monitor Network Activity: Keep an eye on your network traffic for any suspicious activity that could indicate a compromise.
