PatchSiren cyber security CVE debrief
CVE-2025-30199 ECOVACS CVE debrief
CVE-2025-30199 is a high-severity ECOVACS issue affecting several DEEBOT robot and base-station product lines. CISA’s advisory says the base stations do not validate firmware updates, which means a malicious over-the-air update could be sent over the insecure connection between the robot and base station. The advisory lists fixed versions for the affected products and, in Update A, states that mitigation is available for all devices. ECOVACS also reports that updates have been proactively pushed and that users can complete the fix through a system update.
- Vendor
- ECOVACS
- Product
- X1S PRO
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-15
- Original CVE updated
- 2025-07-10
- Advisory published
- 2025-05-15
- Advisory updated
- 2025-07-10
Who should care
Owners, operators, and support teams responsible for affected ECOVACS DEEBOT systems, especially X1S PRO, X1 PRO OMNI, X1 OMNI, X1 TURBO, T10 Series, T20 Series, and T30 Series devices.
Technical summary
CISA’s CSAF advisory for CVE-2025-30199 describes a firmware-update validation weakness in ECOVACS vacuum robot base stations. The published CVSS 3.1 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network reachability with high privileges required and potential high impact to confidentiality, integrity, and availability. Affected products are listed below specific versions: X1S PRO and X1 PRO OMNI < 2.5.38; X1 OMNI and X1 TURBO < 2.4.45; T10 Series < 1.11.0; T20 Series < 1.25.0; and T30 Series < 1.100.0. The July 10, 2025 Update A notes that mitigation is available for all devices.
Defensive priority
High. The advisory covers multiple product families and states that mitigation is available, so applying the vendor update should be treated as a prompt maintenance priority for any affected ECOVACS deployment.
Recommended defensive actions
- Apply the ECOVACS system update on affected devices as soon as possible.
- Verify each product is at or above the fixed version listed in the advisory for its model family.
- If automatic updates are supported, confirm the device received the vendor-pushed update notification and complete the update process.
- Use the ECOVACS security advisory and support channels if a device’s update status is unclear or cannot be confirmed.
- Review CISA ICS recommended practices and general defense-in-depth guidance for connected operational devices.
Evidence notes
This debrief is based on CISA’s CSAF advisory ICSA-25-135-19 for CVE-2025-30199 and the remediation text in the source corpus. The source states that ECOVACS vacuum robot base stations do not validate firmware updates, that malicious OTA updates may be sent via the insecure robot-to-base-station connection, and that software updates are available for all affected devices. Version cutoffs and the July 10, 2025 Update A are taken directly from the advisory metadata.
Official resources
-
CVE-2025-30199 CVE record
CVE.org
-
CVE-2025-30199 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory on 2025-05-15 and issued Update A on 2025-07-10, which adds that mitigation is available for all devices.