CVE-2025-44251 - Ecovacs Deebot T10 exposing Wi-Fi credentials during pairing
CVE-ID:
CVE-2025-44251
Vendor of Product:
Ecovacs
Affected Product Code Base:
Deebot T10 - 1.7.2
Affected Component:
Ecovacs iOS app 3.0
Attack Type:
Local
Impact:
Information Disclosure
Attack Vectors:
Nearby attackers listening to open Wi-Fi channels can extract the user’s Wi-Fi credentials during the pairing process between the Ecovacs Deebot T10 and the mobile app.
Has vendor confirmed or acknowledged the vulnerability?
yes
Suggested description:
During the pairing process, the Ecovacs Deebot T10 creates an open Wi-Fi network, and the mobile app instructs the user to connect to this open, unencrypted Wi-Fi network. Once connected, the mobile app sends the user’s home Wi-Fi network password to the Ecovacs Deebot T10 through cleartext HTTP protocol over the cleartext open Wi-Fi network using the endpoint /rcp.do via POST request.
Additional Information:
POST /rcp.do HTTP/1.1
Host: 192.168.0.1:8888
Content-Type: application/json
Connection: keep-alive
Accept: /
User-Agent: EcovacsHome/236935 CFNetwork/1568.100.1.2.1 Darwin/24.0.0
Content-Length: 238
Accept-Language: en-GB,en;q=0.9
Accept-Encoding: gzip, deflate
{“lb”:”jmq-ngiot-hu.area.ww.ecouser.net”,”sck2”:”
Vulnerability Type:
Other
Wi-Fi credentials transmitted in cleartext HTTP via unencrypted Wi-Fi during the pairing process, CWE-319
Discoverer:
Zoltan Balazs
Reference:
http://deebot.com
http://ecovacs.com
Disclosure timeline:
2024-11-13: Ecovacs support contacted, asking for proper contact
2024-11-14: Product security at Ecovacs is asking for vulnerability details
2024-11-14: Vulnerability details sent
2024-12-04: Vulnerability confirmed by Ecovacs, they are working on a fix
2025-02-20: Asking Ecovacs for an update
2025-02-21: Ecovacs promises a fix by end of March, Ecovacs is asking for publication deadline extension
2025-02-21: Publication deadline extension approved
2025-04-02: Asking Ecovacs for an update
2025-05-06: Received reply:
“Dear Zoltan Balazs,
Thank you for your follow-up and for your continued contribution to our security efforts.
We completed the update through server-side in March, and at the same time, we will complete the update on the App client(the coming version) in May.
Thank you again for your valuable contribution to ECOVACS product security.
Best regards, ECOVACS Security Team”
2025-06-25: Tried to verify the patch, but the pairing worked the same as before. Versions used Deebot 1.7.5 (latest), iOS app version 3.4.0 (latest). Vendor notified.
2025-07-09: Vulnerability details published