A critical, still-unpatched weakness in SharkNinja’s AWS IoT Core access policies lets a certificate pulled from one internet-connected Shark robot vacuum authenticate to the cloud broker and send commands to other Shark devices in the same AWS region. Researcher tokay0 published the write-up on July 13, 2026 after months of responsible disclosure with no committed fix. Research models included RV2320EDUS and AV1102ARUS; the researcher states the issue affects all internet-connected Shark robot vacuums.

Flaw Snapshot
| Field | Detail |
|---|---|
| Disclosed | July 13, 2026 (tokay0) |
| Root cause | Over-permissive AWS IoT Core MQTT policy on device certificates (not scoped to the holding device) |
| Broker path | Mutual TLS to AWS IoT; device shadow field Exec_Command executed via shell (popen, <1000 bytes) |
| Initial cert theft | Physical UART + U-Boot interrupt on researched units |
| After that | Remote cross-device abuse in the same AWS region |
| Scale (1 region, ~24h) | ~1.52M unique serials; ~674k (44%) with Exec_Response / RCE capability signal; 10.5M+ MQTT messages |
| CVE | None yet (MITRE CNA-LR request pending as of disclosure) |
| Patch status | Unpatched as of mid-July 2026 coverage — fix is server-side, not a consumer firmware flash |
| What attackers can reach after RCE | Why it matters |
|---|---|
| Camera feed / motors | Surveillance and physical control inside the home |
| House maps | Layout intelligence for follow-on attacks |
| Plaintext Wi-Fi PSK | Pivot onto the broader home LAN |
| App / cloud command path | Abuse of the same broker fleet owners already trust |

Disclosure Timeline
| Date | Event |
|---|---|
| Mar 1, 2026 | Researcher contacts SharkNinja |
| Mar 11–12 | Technical details shared; company acknowledges |
| Apr 27 | Status: “under review” |
| Jun 9 | 90-day disclosure window ends |
| Jun 11 | CVE request via MITRE CNA-LR |
| Jul 3 | Company promises a completion date by Jul 10 |
| Jul 10 | No completion date delivered (per researcher) |
| Jul 13 | Public write-up posted |
Coverage from Malwarebytes and CyberPress confirms the cloud-policy framing and owner guidance while the broker remains open.
Nuance from the primary write-up: the second unit (AV1102ARUS) used for proof had a properly scoped certificate (no wildcard subscribe), while the first (RV2320EDUS) did not — suggesting bad policies were introduced in provisioning over time. The researcher still assesses all internet-connected Shark vacuums as in-scope for the class of flaw, and notes other Shark IoT products (e.g., smart grills / probes) were not fully investigated but may share architecture.
Other Brands That Share This Risk Class
Shark is the active disclosure — but the architecture is industry-wide: Bluetooth provisioning of the home SSID/password, Linux SoC + MCU split, on-device Wi-Fi credential storage, cameras/maps, and cloud MQTT/IoT hubs.
| Brand / line | Why it is in scope for owners |
|---|---|
| Ecovacs | DEF CON 2024 research (Dennis Giese & Braelynn Luedtke): Bluetooth foothold (ranges demonstrated up to ~450 ft / 130 m), shell, Wi-Fi credential extract — cited by tokay0 as a prior vacuum precedent |
| DJI ROMO | Researcher notes a near-identical cloud/device RCE class discovered previously |
| Roborock | Same BT + 2.4 GHz Wi-Fi + app/cloud + on-device reconnection secrets pattern |
| iRobot (Roomba) | Cloud-connected mapping robots with home-network credentials on device |
| Dreame, Eufy/Anker, Xiaomi, Samsung Jet Bot, LG CordZero | Comparable connected-cleaner stacks; treat as same hygiene class until vendors prove per-device least-privilege |
| Any AWS IoT Core / Azure IoT Hub appliance | Certificate or token policies must be scoped per device — wildcard fleet access is the Shark failure mode |
This is not a claim that every listed brand has the same open AWS wildcard today. It is a claim that the documented Shark path (cloud least-privilege failure + plaintext Wi-Fi PSK on a wheeled Linux box) is a pattern owners should assume until proven otherwise.
What Shark / SharkClean Owners Should Do Now
| Priority | Action |
|---|---|
| 1 | Disconnect Wi-Fi / disable app remote connectivity until SharkNinja confirms a scoped cloud policy — the durable fix is in their AWS account, not a home firmware flash |
| 2 | Change the home Wi-Fi password, then re-pair IoT devices (invalidates any extracted PSK) |
| 3 | Put vacuums/cameras/plugs on a guest / IoT VLAN with client isolation |
| 4 | Prefer WPA3 where possible; many robots still need a dedicated 2.4 GHz SSID |
| 5 | Disable unused camera / remote / cloud-mapping features |
| 6 | Watch SharkNinja / SharkClean app notices for remediation; no CVE means scanners will lag |
Independent Cybersecurity Audit
We scored Shark and peer robot-vacuum brand domains on July 17, 2026. Authority: audit.emailmenow.com only. 100% is the ideal. Sorted highest → lowest.
| Domain | Overall | Identity | Transport | Website | Level |
|---|---|---|---|---|---|
| irobot.com | 68% | 50% | 45% | 87% | Above Average |
| ecovacs.com | 62% | 70% | 15% | 43% | Above Average |
| roborock.com | 61% | 35% | 15% | 87% | Above Average |
| sharkninja.com | 54% | 35% | 15% | 65% | Average |
| sharkclean.com | 46% | 35% | 15% | 37% | Below Average |
| Finding | Detail |
|---|---|
| Ideal score | 0 of 5 hit 100% overall |
| Soft Transport | 15% on Shark, Ecovacs, and Roborock hosts in this pass |
| Soft Identity | Shark + Roborock Identity 35% — weak spoof resistance during “security update / reconnect Wi-Fi” phishing season |
| Strongest here | irobot.com at 68% with Website 87% |
| Phishing implication | Expect fake “SharkClean critical patch / reconnect your vacuum” mail while owners hunt for guidance |

Audit links: irobot.com · ecovacs.com · roborock.com · sharkninja.com · sharkclean.com
Website stack note
Passive website-tech probes completed on July 17, 2026 for all five domains (5 probed, 0 notable, 0 errors). roborock.com was identified as Shopify, where core updates are vendor-managed; apps, themes, and administrator MFA still require merchant oversight. The other four hosts did not expose a CMS or PHP version in this pass. No outdated CMS, PHP EOL, known-CVE hint, or short-horizon TLS alert was reported.
These marketing-site results do not test the SharkNinja AWS IoT broker or invalidate the primary disclosure: the robot-vacuum risk is the cloud certificate policy and on-device Wi-Fi secrets.
Related Reading
- Wifi guest network security risks
- Wifi WPA3 upgrade check guide
- Cyber insurance: controls decide coverage
Run a free Instant Cybersecurity Audit at audit.emailmenow.com or contact EmailMeNow IT Consulting for IoT network segmentation and phishing-season hardening.
Sources: tokay0 — Millions of Shark vacuums vulnerable to RCE · Malwarebytes · CyberPress · EmailMeNow audits — sharkninja.com · sharkclean.com · ecovacs.com · roborock.com · irobot.com