ECOVACS Products Bluetooth Command Injection Vulnerability Allowing Remote Code Execution

A command injection vulnerability has been identified in ECOVACS robot lawnmowers and vacuums, specifically within the Deebot and Goat product series. This vulnerability allows for remote code execution via an unauthenticated Bluetooth Low Energy (BLE) connection, exploiting the SetNetPin() command. Affected products include various models within the Deebot series, such as the X2 OMNI, X2 COMBO, X2S, X5 PRO, X5 PRO PLUS, X5 PRO ULTRA, T30 OMNI, and T30S, as well as the Goat series models GOAT G1-2000, GOAT G1, GOAT G1-800, and GX-600.

Impact

Successful exploitation of this vulnerability could lead to unauthorized remote code execution on the affected devices.

Remediation

ECOVACS has released patches for the vulnerable products. Users can update their devices to the latest version to address this vulnerability. For products that support automatic updates, the update will be pushed automatically.