Avatar
Because Google started to delete hacking related blog posts without using a single brain cell, I had to learn just another framework. Thx Google

CVE-2025-44251 - Ecovacs Deebot T10 exposing Wi-Fi credentials during pairing

CVE-ID:

CVE-2025-44251

 

Vendor of Product:

Ecovacs

 

Affected Product Code Base:

Deebot T10 - 1.7.2

 

Affected Component:

Ecovacs iOS app 3.0

 

Attack Type:

Local

 

Impact:

Information Disclosure

 

Attack Vectors:

Nearby attackers listening to open Wi-Fi channels can extract the user’s Wi-Fi credentials during the pairing process between the Ecovacs Deebot T10 and the mobile app.

 

Has vendor confirmed or acknowledged the vulnerability?

yes

 

Suggested description:

During the pairing process, the Ecovacs Deebot T10 creates an open Wi-Fi network, and the mobile app instructs the user to connect to this open, unencrypted Wi-Fi network. Once connected, the mobile app sends the user’s home Wi-Fi network password to the Ecovacs Deebot T10 through cleartext HTTP protocol over the cleartext open Wi-Fi network using the endpoint /rcp.do via POST request.

 

Additional Information:

POST /rcp.do HTTP/1.1

Host: 192.168.0.1:8888

Content-Type: application/json

Connection: keep-alive

Accept: /

User-Agent: EcovacsHome/236935 CFNetwork/1568.100.1.2.1 Darwin/24.0.0

Content-Length: 238

Accept-Language: en-GB,en;q=0.9

Accept-Encoding: gzip, deflate

{“lb”:”jmq-ngiot-hu.area.ww.ecouser.net”,”sck2”:”","p":"","sc":"bmrO","u":"","td":"SetApConfig","i":"{\"r\":\"ecouser.net\",\"dc\":\"eu\",\"v\":\"ww\",\"a\":\"hu\"}","s":""}

 

Vulnerability Type:

Other

Wi-Fi credentials transmitted in cleartext HTTP via unencrypted Wi-Fi during the pairing process, CWE-319

 

Discoverer:

Zoltan Balazs

 

Reference:

http://deebot.com

http://ecovacs.com

 

Disclosure timeline:

2024-11-13: Ecovacs support contacted, asking for proper contact

2024-11-14: Product security at Ecovacs is asking for vulnerability details

2024-11-14: Vulnerability details sent

2024-12-04: Vulnerability confirmed by Ecovacs, they are working on a fix

2025-02-20: Asking Ecovacs for an update

2025-02-21: Ecovacs promises a fix by end of March, Ecovacs is asking for publication deadline extension

2025-02-21: Publication deadline extension approved

2025-04-02: Asking Ecovacs for an update

2025-05-06: Received reply:  

“Dear Zoltan Balazs,

Thank you for your follow-up and for your continued contribution to our security efforts.

We completed the update through server-side in March, and at the same time, we will complete the update on the App client(the coming version) in May.

Thank you again for your valuable contribution to ECOVACS product security.

Best regards, ECOVACS Security Team”

2025-06-25: Tried to verify the patch, but the pairing worked the same as before. Versions used Deebot 1.7.5 (latest), iOS app version 3.4.0 (latest). Vendor notified.

2025-07-09: Vulnerability details published