The vulnerability identified as CVE-2025-44251 affects the Ecovacs Deebot T10 robotic vacuum cleaner, specifically version 1.7.2. During the device's Wi-Fi pairing process, it transmits Wi-Fi credentials in cleartext, meaning the network name (SSID) and password are sent without encryption. This lack of confidentiality in the transmission exposes sensitive network credentials to any attacker within wireless range who can intercept the communication. The vulnerability arises from insecure design or implementation of the pairing protocol, which fails to protect the credentials using encryption or secure key exchange mechanisms. Since the pairing process is typically performed when initially setting up the device or reconfiguring network settings, an attacker could exploit this window to capture the credentials and subsequently gain unauthorized access to the victim's Wi-Fi network. This could lead to further attacks such as network reconnaissance, man-in-the-middle attacks, or lateral movement within the network. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the sensitive nature of Wi-Fi credentials and the ease of interception in wireless environments. The absence of a CVSS score indicates that the vulnerability has not yet been fully assessed for severity, but the technical details clearly indicate a confidentiality breach during a critical operation. The vulnerability affects the Ecovacs Deebot T10 1.7.2 firmware, and no patch or mitigation has been officially published at the time of reporting.

For European organizations, this vulnerability can have serious implications. Many organizations use IoT devices like robotic vacuum cleaners in office environments, which often connect to corporate or guest Wi-Fi networks. If an attacker captures Wi-Fi credentials during the pairing process, they could gain unauthorized access to the network, potentially bypassing perimeter defenses. This access could allow attackers to intercept sensitive communications, deploy malware, or move laterally to more critical systems. The breach of Wi-Fi credentials also undermines network integrity and confidentiality, increasing the risk of data leakage or disruption of services. Additionally, organizations subject to GDPR and other data protection regulations could face compliance issues if such a vulnerability leads to unauthorized data access or breaches. The risk is heightened in environments where the device is paired in public or semi-public spaces, such as shared office buildings or co-working spaces, where attackers can easily be in proximity. Although the vulnerability does not directly affect the device's operational integrity, the indirect consequences through network compromise can be substantial.

To mitigate this vulnerability, organizations and users should avoid pairing the Ecovacs Deebot T10 1.7.2 on sensitive or corporate Wi-Fi networks until a secure firmware update is released. Instead, pairing should be performed on isolated or guest networks with limited access to critical resources. Network segmentation should be enforced to separate IoT devices from core business systems. Monitoring wireless traffic during device setup can help detect unauthorized interception attempts. Users should request or monitor for firmware updates from Ecovacs that address secure transmission of credentials, ideally implementing encrypted pairing protocols such as WPA3 or secure out-of-band key exchanges. Additionally, organizations should consider disabling or restricting the use of IoT devices that do not meet security standards in sensitive environments. Employing network access control (NAC) solutions to limit device connectivity and using strong Wi-Fi authentication methods can further reduce risk. Finally, educating users about the risks of pairing devices in unsecured environments and enforcing policies around IoT device deployment are critical.