Common Weakness Enumeration

CWE-603

Allowed

Use of Client-Side Authentication

Abstraction: Base · Status: Draft

A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.

41 vulnerabilities reference this CWE, most recent first.

GHSA-WXX6-J873-V2QH

Vulnerability from github – Published: 2025-01-23 18:31 – Updated: 2025-01-23 18:31
VLAI
Details

The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-52327"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-603"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-23T17:15:13Z",
    "severity": "MODERATE"
  },
  "details": "The cloud service used by ECOVACS robot lawnmowers and vacuums allows authenticated attackers to bypass the PIN entry required to access the live video feed.",
  "id": "GHSA-wxx6-j873-v2qh",
  "modified": "2025-01-23T18:31:20Z",
  "published": "2025-01-23T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52327"
    },
    {
      "type": "WEB",
      "url": "https://dontvacuum.me/talks/37c3-2023/37c3-vacuuming-and-mowing.pdf"
    },
    {
      "type": "WEB",
      "url": "https://dontvacuum.me/talks/HITCON2024/HITCON-CMT-2024_Ecovacs.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.ecovacs.com/global/userhelp/dsa20241217002"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Do not rely on client side data. Always perform server side authentication.

No CAPEC attack patterns related to this CWE.