Security Advisory - Bluetooth Remote Code Execution (BLE RCE) Vulnerability in Deebot Product Series
Initial Release Date: November 19, 2024
Update Date: November 19, 2024
Vulnerability Overview
A Bluetooth Remote Code Execution (BLE RCE) vulnerability has been identified in ECOVACS' Deebot product series. Under specific technical conditions, successful exploitation of this vulnerability could allow an attacker to remotely compromise the affected devices.
Vulnerability Source
The vulnerability information was provided by Dennis Giese, Braelynn Luedtke, and Chris Anderson. We sincerely appreciate their contributions to the security of ECOVACS products.
Versions and Fixes
| Affected Products | Patched Versions |
| X2 OMNI | 1.76.6 |
| X2 COMBO | 1.81.10 |
| X2S | 1.49.0 |
| X5 PRO | 1.70.0 |
| X5 PRO PLUS | 1.38.0 |
| X5 PRO ULTRA | 1.17.0 |
| T30 OMNI | 1.93.0 |
| T30S | 1.95.0 |
Version Access
Devices that support automatic updates will receive system update notifications. We have proactively pushed the update to all users. Users can complete the fix by performing the system update.
FAQs
None.
Security Incident Response
ECOVACS is committed to ensuring the best interests of our product users. We adhere to responsible disclosure principles and address security issues through our product security management process.
To report security issues related to ECOVACS products and solutions, please contact us at: product-security@ecovacs.com
ECOVACS will continue to monitor developments related to this vulnerability. Ongoing investigations are still in progress. If there are any changes, this advisory will be updated promptly. Please stay tuned for further updates.