Security Advisory - Access keys and secrets for Service Were embedded within App

Initial Release Date: May 8, 2025
Update Date: May 15, 2025

Vulnerability Overview
Testing access keys and secrets for Alibaba Object Storage Service (Test Log Server) were embedded within the Ecovacs Home APP. Data on the server may be accessed or tampered without authorization.

Vulnerability Source
CVE-ID: CVE-2025-2394
The vulnerability information was provided by Michael Newton. We sincerely appreciate Michael's contribution to the security of ECOVACS products!

Versions and Fixes
  App: Version 3.4.0 and later addressed this issue. Please update to the latest app version

Version Access
  App Version: Please update to the latest version based on your device type through the respective app store: iOS users can search for and update our app on the App Store; Android users can update via the Google Play Store. Additionally, you can visit our official website download and install the latest version.

FAQs
None.
Security Incident Response
ECOVACS is committed to ensuring the best interests of our product users. We adhere to responsible disclosure principles and address security issues through our product security management process.
To report security issues related to ECOVACS products and solutions, please contact us at: product-security@ecovacs.com
ECOVACS will continue to monitor developments related to this vulnerability. Ongoing investigations are still in progress. If there are any changes, this advisory will be updated promptly. Please stay tuned for further updates.