#VU109664 Download of code without integrity check in ECOVACS products - CVE-2025-30199
Published: May 23, 2025
Vulnerability identifier: #VU109664
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2025-30199
CWE-ID: CWE-494
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
X1S PRO
X1 PRO OMNI
X1 OMNI
X1 TURBO
T10 Series
T20 Series
T30 Series
X1S PRO
X1 PRO OMNI
X1 OMNI
X1 TURBO
T10 Series
T20 Series
T30 Series
Software vendor:
ECOVACS
ECOVACS
Description
The vulnerability allows a remote user to compromise the affected system
The vulnerability exists due to software does not perform software integrity check when downloading updates. A remote administor can send malicious over-the-air updates to base station via insecure connection between robot and base station.
Remediation
Install updates from vendor's website.