{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/shark-av1102arus/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Shark RV2320EDUS","Shark AV1102ARUS"],"_cs_severities":["critical"],"_cs_tags":["iot-security","vulnerability","cloud-security","access-control","remote-code-execution"],"_cs_type":"threat","_cs_vendors":["SharkNinja"],"content_html":"\u003cp\u003eA researcher operating under the handle tokay0 has publicly disclosed a critical vulnerability affecting SharkNinja's robot vacuum cleaners, specifically the RV2320EDUS model, which has remained unpatched since being reported to the vendor in March 2026. The flaw stems from an overly permissive AWS IoT certificate embedded in the device, which, when extracted, grants an attacker the ability to execute root commands, access camera feeds, read house maps, and exfiltrate Wi-Fi passwords in plaintext from other Shark vacuums within the same AWS region. This vulnerability does not rely on memory corruption or privilege escalation on the target device, but rather on the cloud broker accepting broad publish/subscribe actions from a compromised certificate. The researcher observed over 673,000 devices emitting an Exec_Response in a 24-hour period within one AWS region, indicating a wide potential impact on customers whose devices utilize the affected command handler.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003ePhysical Access:\u003c/strong\u003e An attacker gains physical access to a vulnerable Shark RV2320EDUS robot vacuum.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access (Device Root Shell):\u003c/strong\u003e The attacker disassembles the vacuum, connects to UART pins on the mainboard, bypasses the U-Boot console password, and exploits a boot argument (\u003ccode\u003einit=/bin/sh\u003c/code\u003e) to obtain a root shell on the device.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access (Certificate Extraction):\u003c/strong\u003e From the root shell, the attacker extracts the per-device AWS IoT key and certificate files located at \u003ccode\u003e/mnt/res/vapp/certs/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAbuse of Cloud Identity:\u003c/strong\u003e Using the extracted certificate, which possesses an overly permissive AWS IoT policy (allowing publish/subscribe on \u003ccode\u003e$aws/things/#\u003c/code\u003e), the attacker connects to SharkNinja's cloud broker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDiscovery \u0026amp; Targeting:\u003c/strong\u003e The attacker subscribes to \u003ccode\u003e$aws/things/#\u003c/code\u003e via the broker to observe traffic and harvest serial numbers of other Shark vacuums operating in the same AWS region.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRemote Code Execution:\u003c/strong\u003e The attacker publishes a shadow update containing an \u003ccode\u003eExec_Command\u003c/code\u003e field to the specific topic of a targeted Shark vacuum.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact (Remote Control \u0026amp; Data Exfiltration):\u003c/strong\u003e The targeted vacuum's \u003ccode\u003eappd\u003c/code\u003e management daemon reads the \u003ccode\u003eExec_Command\u003c/code\u003e field, which is executed via \u003ccode\u003epopen\u003c/code\u003e, providing the attacker with capabilities such as establishing a reverse shell, accessing live camera feeds, reading house maps, and exfiltrating plaintext Wi-Fi passwords.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of this vulnerability would allow an attacker to remotely control affected Shark robot vacuums, leading to significant privacy and security compromises. Attackers could view sensitive household information through the vacuum's camera, map out the interior of homes, and steal Wi-Fi network credentials, potentially enabling further network intrusion. While the researcher tested on his own devices, the identified scope suggests that hundreds of thousands of Shark vacuums across a single AWS region could be vulnerable. SharkNinja has not yet patched the flaw or issued an official advisory, leaving devices exposed to these risks. The only current owner-side mitigation is to disconnect the vacuum from Wi-Fi, which disables app control and smart features.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor Vendor Advisories:\u003c/strong\u003e Regularly check SharkNinja's official channels for an upcoming security advisory or patch regarding this vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview IoT Device Policies:\u003c/strong\u003e For organizations that manage IoT fleets, review AWS IoT Device Defender audit checks, specifically \u003ccode\u003eIOT_POLICY_OVERLY_PERMISSIVE_CHECK\u003c/code\u003e, to ensure device policies are properly scoped to \u003ccode\u003eiot:Connection.Thing.ThingName\u003c/code\u003e and not \u003ccode\u003eaws/things/*\u003c/code\u003e. This is a vendor-side fix, but awareness is crucial.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eIsolate or Disconnect Affected Devices:\u003c/strong\u003e Until a vendor-supplied patch is available, end-users should consider disconnecting affected Shark vacuums, such as the Shark RV2320EDUS and AV1102ARUS, from their Wi-Fi networks to prevent remote exploitation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T10:54:57Z","date_published":"2026-07-16T10:54:57Z","id":"https://feed.craftedsignal.io/briefs/2026-07-unpatched-shark-vacuum-flaw/","summary":"A researcher discovered an unpatched vulnerability in Shark RV2320EDUS robot vacuums that allows an attacker with physical access to extract an overly permissive AWS IoT certificate, enabling region-wide remote command execution and data theft on other Shark vacuums.","title":"Unpatched Shark Vacuum Flaw Allows Region-Wide Remote Control and Data Theft","url":"https://feed.craftedsignal.io/briefs/2026-07-unpatched-shark-vacuum-flaw/"}],"language":"en","title":"CraftedSignal Threat Feed - Shark AV1102ARUS","version":"https://jsonfeed.org/version/1.1"}