PatchSiren cyber security CVE debrief
CVE-2025-30198 ECOVACS CVE debrief
CVE-2025-30198 affects ECOVACS DEEBOT robot vacuums and base stations that communicate over a Wi‑Fi network protected by a deterministic WPA2-PSK derived from the device serial number. That weakens the local wireless trust boundary because the shared secret is not randomly provisioned. CISA’s advisory Update A states that software updates are available for all affected devices, so remediation is available across the impacted product set.
- Vendor
- ECOVACS
- Product
- X1S PRO
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-15
- Original CVE updated
- 2025-07-10
- Advisory published
- 2025-05-15
- Advisory updated
- 2025-07-10
Who should care
Owners and operators of affected ECOVACS DEEBOT models, anyone managing multiple units, and support teams responsible for keeping robot vacuums and base stations updated. Security teams should also care if these devices are used in environments where nearby wireless access matters.
Technical summary
CISA assigns CVE-2025-30198 a CVSS 3.1 score of 6.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). The advisory says ECOVACS robot vacuums and base stations use an insecure Wi‑Fi network with a deterministic WPA2-PSK that can be derived from the device serial number. Affected product ranges are: X1S PRO before 2.5.38; X1 PRO OMNI before 2.5.38; X1 OMNI before 2.4.45; X1 TURBO before 2.4.45; T10 Series before 1.11.0; T20 Series before 1.25.0; and T30 Series before 1.100.0.
Defensive priority
Elevated: apply the available firmware update promptly on any affected ECOVACS device, especially where nearby wireless exposure is a concern. The issue is rated medium, but the affected trust boundary is local Wi‑Fi access and CISA indicates mitigation is available for all listed devices.
Recommended defensive actions
- Update all affected ECOVACS devices to the fixed software version for your model.
- Confirm the device is running at least X1S PRO/X1 PRO OMNI 2.5.38, X1 OMNI/X1 TURBO 2.4.45, T10 Series 1.11.0, T20 Series 1.25.0, or T30 Series 1.100.0.
- Use ECOVACS’ advisory and support channels to verify the correct remediation path for your model.
- Where feasible, place IoT and robot devices on a separate network segment and restrict unnecessary nearby wireless access.
- If a device cannot be updated immediately, prioritize it for replacement or isolation until remediation is complete.
Evidence notes
This debrief is based on CISA’s CSAF advisory ICSA-25-135-19 for CVE-2025-30198 and its revision history. The source advisory states that Update A (2025-07-10) made mitigation available for all affected devices and lists the affected ECOVACS product/version ranges. The supplied corpus also includes the official CISA advisory page, the ECOVACS security advisory URL, and the CVE record link. No CISA KEV entry is present in the supplied data.
Official resources
-
CVE-2025-30198 CVE record
CVE.org
-
CVE-2025-30198 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2025-05-15 and issued Update A on 2025-07-10. The supplied record shows both dates as the advisory timeline for CVE-2025-30198.