A critical vulnerability in Shark RV2320EDUS robot vacuums allows attackers to gain root-level control of other vacuums across the same Amazon Web Services region. Researcher tokay0 disclosed the flaw on Monday after testing the attack locally.
The exploit works by extracting a certificate from the target vacuum's flash storage. Once obtained, attackers can execute root commands on other Shark vacuums connected to the same AWS region. This grants access to multiple sensitive functions. Attackers can view camera feeds, drive the robot remotely, access the home layout stored on the device's map, and extract Wi-Fi passwords in plaintext text.
The vulnerability stems from improper certificate handling and regional trust assumptions in Shark's cloud infrastructure. The affected model, RV2320EDUS, authenticates to AWS using a shared or poorly isolated certificate. The lack of device-specific certificate pinning or regional isolation controls creates a lateral movement path across a single AWS region.
The vacuum connects to the Shark mobile application for remote control and mapping features. These cloud connections handle sensitive data including home layouts and network credentials. The vulnerability breaks the security boundary between device owners within the same geographic region.
Shark has not yet released patches addressing this vulnerability. The researcher tested the attack locally before disclosure, following responsible disclosure practices. The timing and scope of public awareness remain limited, though the technical details have circulated among security researchers.
For Shark vacuum owners, the immediate risk involves threat actors on the same AWS region gaining unauthorized access to home camera feeds, device location data, and Wi-Fi credentials. This could facilitate follow-on attacks including network infiltration or physical reconnaissance.
Organizations and individuals using Shark RV2320EDUS models should assume this device carries elevated risk until Shark releases and deploys security patches. Disabling remote features or temporarily disconnecting vacuums from Wi-Fi
