CVE-2025-44251 is a high-severity vulnerability affecting the Ecovacs Deebot T10 robotic vacuum cleaner, specifically version 1.7.2. The vulnerability arises from the device transmitting Wi-Fi credentials in cleartext during the pairing process. This means that when the device is being connected to a wireless network, the network name (SSID) and password are sent over the air without encryption or any form of protection. An attacker within wireless range could intercept these credentials using common packet sniffing tools, leading to unauthorized access to the victim's Wi-Fi network. The vulnerability is classified under CWE-319, which pertains to the cleartext transmission of sensitive information. The CVSS v3.1 base score is 7.5, indicating a high severity level. The vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) shows that the attack can be performed remotely over the network without any privileges or user interaction, and it results in a complete compromise of confidentiality (high impact on confidentiality), though integrity and availability are not affected. There are no known exploits in the wild yet, and no patches or mitigations have been officially released at the time of publication. The vulnerability's impact is limited to the pairing process, but given that Wi-Fi credentials are highly sensitive, the risk of network compromise is significant. Attackers gaining access to the Wi-Fi network could perform lateral movement, intercept other network traffic, or launch further attacks on connected devices. This vulnerability highlights a critical security design flaw in the device's onboarding process, where sensitive data is not adequately protected during transmission.

For European organizations, this vulnerability poses a significant risk, especially in environments where Ecovacs Deebot T10 devices are deployed in offices, warehouses, or other facilities connected to corporate or sensitive networks. The exposure of Wi-Fi credentials can lead to unauthorized network access, potentially allowing attackers to infiltrate internal systems, exfiltrate data, or disrupt operations. Given that many European companies rely on Wi-Fi networks for daily operations, the compromise of network credentials can undermine confidentiality and trust. Additionally, organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance violations if unauthorized access leads to data breaches. The vulnerability also raises concerns for smart office environments where IoT devices are interconnected, increasing the attack surface. Although the vulnerability does not directly affect device integrity or availability, the indirect consequences of network compromise can be severe, including espionage, ransomware deployment, or service disruption. The lack of a patch at the time of disclosure further exacerbates the risk, requiring organizations to implement compensating controls promptly.

To mitigate this vulnerability, European organizations should take several specific steps beyond generic advice. First, avoid deploying Ecovacs Deebot T10 devices version 1.7.2 in sensitive or critical network environments until a secure firmware update is available. If devices are already deployed, isolate them on a dedicated guest or IoT VLAN with strict network segmentation and firewall rules to limit lateral movement and access to critical resources. Use strong Wi-Fi encryption protocols (WPA3 if possible) and monitor wireless networks for unusual activity or unauthorized devices. Employ wireless intrusion detection systems (WIDS) to detect sniffing or rogue access points. During the pairing process, conduct it in a controlled environment where the risk of eavesdropping is minimized, such as physically isolated areas or shielded rooms. Regularly audit and rotate Wi-Fi credentials to reduce the window of exposure. Additionally, maintain an inventory of all IoT devices and their firmware versions to quickly identify vulnerable units. Engage with Ecovacs support channels to obtain updates or patches and apply them promptly once available. Finally, educate staff about the risks of insecure IoT devices and the importance of network segmentation and monitoring.