Details of VAR-202501-1846

ID

VAR-202501-1846

CVE

CVE-2024-11147

TITLE

plural ECOVACS Product use of hardcoded credentials vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2024-028187

DESCRIPTION

ECOVACS robot lawnmowers and vacuums use a deterministic root password generated based on model and serial number. An attacker with shell access can login as root. DEEBOT 900 firmware, DEEBOT N8 firmware, DEEBOT T8 firmware etc. ECOVACS The product contains a vulnerability related to the use of hardcoded credentials.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2024-11147 // JVNDB: JVNDB-2024-028187

AFFECTED PRODUCTS

vendor:	ecovacs	model:	airbot andy	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	goat g1	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot n9	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot x2	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	airbot z1	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot n8	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot t10	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot t20	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot t8	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	airbot ava	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot n10	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot x1	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot t9	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	deebot 900	scope:	eq	version:	-	Trust: 1.0
vendor:	ecovacs	model:	airbot ava	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot t10	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot t9	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	goat g1	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot x1	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	airbot andy	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot t8	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot t20	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot n9	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot 900	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot n8	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot x2	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	airbot z1	scope:	-	version:	-	Trust: 0.8
vendor:	ecovacs	model:	deebot n10	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2024-028187 // NVD: CVE-2024-11147

CVSS

SEVERITY

CVSSV2

CVSSV3

9119a7d8-5eab-497f-8521-727c672e3725:	CVE-2024-11147
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2024-028187
value:	HIGH
Trust: 0.8

9119a7d8-5eab-497f-8521-727c672e3725:	CVE-2024-11147
baseSeverity:	HIGH
baseScore:	7.6
vectorString:	CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	0.9
impactScore:	6.0
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2024-028187
baseSeverity:	HIGH
baseScore:	7.6
vectorString:	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
attackVector:	PHYSICAL
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2024-028187 // NVD: CVE-2024-11147

PROBLEMTYPE DATA

problemtype:	CWE-798	Trust: 1.0
problemtype:	Use hard-coded credentials (CWE-798) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2024-028187 // NVD: CVE-2024-11147

EXTERNAL IDS

db:	NVD	id:	CVE-2024-11147	Trust: 2.6
db:	JVNDB	id:	JVNDB-2024-028187	Trust: 0.8

sources: JVNDB: JVNDB-2024-028187 // NVD: CVE-2024-11147

REFERENCES

url:	https://builder.dontvacuum.me/ecopassword.php	Trust: 1.8
url:	https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf	Trust: 1.8
url:	https://dontvacuum.me/talks/hitcon2024/hitcon-cmt-2024_ecovacs.pdf	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2024-11147	Trust: 0.8

sources: JVNDB: JVNDB-2024-028187 // NVD: CVE-2024-11147

SOURCES

db:	JVNDB	id:	JVNDB-2024-028187
db:	NVD	id:	CVE-2024-11147

LAST UPDATE DATE

2025-10-02T23:38:53.792000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2024-028187	date:	2025-09-30T01:47:00
db:	NVD	id:	CVE-2024-11147	date:	2025-09-23T17:44:13.273

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2024-028187	date:	2025-09-30T00:00:00
db:	NVD	id:	CVE-2024-11147	date:	2025-01-23T17:15:12.860