Primary

Context

ECOVACS HOME Mobile App TLS Certificate Validation Vulnerability Allowing Traffic Interception and Token Theft

Vulnerability

A vulnerability exists in the ECOVACS HOME mobile app plugins for certain robot models, where TLS certificate validation is inadequate. This flaw allows an unauthenticated attacker to intercept and potentially alter TLS traffic, leading to the unauthorized retrieval or modification of authentication tokens.

Impact

Exploitation of this vulnerability could result in interception and manipulation of TLS-encrypted traffic, allowing attackers to access or alter sensitive information, including authentication tokens.

Remediation

Users can update to the latest version of the ECOVACS HOME mobile app. For affected robot models, firmware updates are available. Instructions for updating the app or firmware can be found on the ECOVACS website or through the respective app stores.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.0

remediation

8.3

relevance

0.0

threat

4.8

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.0

remediation

8.3

relevance

0.0

threat

4.8

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ECOVACS HOME Mobile App TLS Certificate Validation Vulnerability Allowing Traffic Interception and Token Theft

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating