Ecovacs Deebot T10 Wi-Fi Credential Disclosure via Plaintext HTTP During Pairing (CVE-2025-44251)

Critical Vulnerability Information CVE-ID: CVE-2025-44251 Vendor: Ecovacs Affected Product Versions: Deebot T10 - 1.7.2 Affected Component: Ecovacs iOS app 3.0 Attack Type: Local Impact: Information Disclosure Attack Vector: Nearby attackers can extract user Wi-Fi credentials during the pairing process by eavesdropping on the Wi-Fi channel. Vendor Confirmed or Acknowledged Vulnerability: yes Vulnerability Description: During the pairing process, the Ecovacs Deebot T10 creates an open Wi-Fi network. The mobile app instructs the user to connect to this open, unencrypted Wi-Fi network. Once connected, the mobile app sends the user’s home Wi-Fi network password to the Ecovacs Deebot T10 via plaintext HTTP protocol, using the /rpc.do endpoint through a POST request. Vulnerability Type: Other Specific Issue: Wi-Fi credentials are transmitted in plaintext HTTP over an unencrypted Wi-Fi network during the network pairing process. Discoverer: Zoltan Balazs Disclosure Timeline: - 2024-11-13: Contacted Ecovacs support to request appropriate contact person - 2024-11-14: Inquired with Ecovacs’ product security team about vulnerability details - 2024-11-14: Vulnerability details sent - 2024-12-04: Vulnerability acknowledged by Ecovacs; they are working on a fix - 2025-02-20: Requested update from Ecovacs - 2025-02-21: Ecovacs committed to fixing by end of March; requested extension of disclosure deadline - 2025-02-21: Disclosure deadline extension approved - 2025-04-02: Requested update from Ecovacs - 2025-05-06: Received response; Ecovacs stated server-side update completed, client-side update to be finished in May - 2025-06-25: Attempted to verify patch, but pairing process remained unchanged. Notified vendor - 2025-07-09: Vulnerability details disclosed

Goal Reached Thanks to every supporter — we hit 100%!

Ecovacs Deebot T10 Wi-Fi Credential Disclosure via Plaintext HTTP During Pairing (CVE-2025-44251)