🟠 High  |  Source: The Hacker News


A security researcher has discovered an unpatched flaw in the Shark RV2320EDUS robot vacuum that allows an attacker who physically extracts a device certificate from the vacuum’s flash storage to issue root-level commands to any other Shark vacuum in the same AWS region. This grants access to the live camera feed, remote driving control, household floor plan data, and Wi-Fi credentials stored in plaintext. The vendor has not yet issued a patch, meaning all affected devices remain exposed.

Security Architect’s Take: If your organisation permits IoT devices on networks that share credentials with corporate Wi-Fi or cloud resources, treat this as an urgent segmentation review — the plaintext Wi-Fi password exposure is the highest-risk pivot point. More broadly, use this as a prompt to audit any IoT vendor backends your estate relies upon for weak cross-tenant authorisation controls on shared cloud infrastructure.

Original advisory: Unpatched Shark Vacuum Flaw Could Let Attackers Control Other Vacuums Region-Wide