MICVEs & Vulnerabilities

101 CVEs affecting MI products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

miui 9ax3600 8ax3600 firmware 6xiaomi r3600 firmware 5xiaomi r3600 5rm1800 4ax1800 firmware 4ax1800 4
CVE-2024-45348HIGH

Xiaomi Router AX9000 has a post-authorization command injection vulnerability. This vulnerability is caused by the lack of validation of user input, and an attacker can exploit this vulnerability to execute arbitrary code.

23 Sep 2024
8.8
CVSS
CVE-2023-26324CRITICAL

A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.

28 Aug 2024
9.8
CVSS
CVE-2023-26323CRITICAL

A code execution vulnerability exists in the Xiaomi App market product. The vulnerability is caused by unsafe configuration and can be exploited by attackers to execute arbitrary code.

28 Aug 2024
9.8
CVSS
CVE-2023-26322CRITICAL

A code execution vulnerability exists in the XiaomiGetApps application product. This vulnerability is caused by the verification logic being bypassed, and an attacker can exploit this vulnerability to execute malicious code.

28 Aug 2024
9.8
CVSS
CVE-2023-26321CRITICAL

A path traversal vulnerability exists in the Xiaomi File Manager application product(international version). The vulnerability is caused by unfiltered special characters and can be exploited by attackers to overwrite and execute code in the file.

28 Aug 2024
9.8
CVSS
CVE-2023-26315HIGH

The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device.

26 Aug 2024
8.8
CVSS
CVE-2024-37664MEDIUM

Redmi router RB03 v1.0.57 is vulnerable to TCP DoS or hijacking attacks. An attacker in the same WLAN as the victim can disconnect or hijack the traffic between the victim and any remote server by sending out forged TCP RST messages to evict NAT mappings in the router.

17 Jun 2024
5.2
CVSS
CVE-2024-37663MEDIUM

Redmi router RB03 v1.0.57 is vulnerable to forged ICMP redirect message attacks. An attacker in the same WLAN as the victim can hijack the traffic between the victim and any remote server by sending out forged ICMP redirect messages.

17 Jun 2024
4.1
CVSS
CVE-2024-4406CRITICAL

Xiaomi Pro 13 GetApps integral-dialog-page Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the integral-dialog-page.html file. When parsing the integralInfo parameter, the process does not properly sanitize user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22332.

2 May 2024
9.6
CVSS
CVE-2024-4405CRITICAL

Xiaomi Pro 13 mimarket manual-upgrade Cross-Site Scripting Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xiaomi Pro 13 smartphones. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the manual-upgrade.html file. When parsing the manualUpgradeInfo parameter, the process does not properly sanitize user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-22379.

2 May 2024
9.6
CVSS
CVE-2023-26320HIGH

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

11 Oct 2023
8.1
CVSS
CVE-2023-26319HIGH

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Xiaomi Xiaomi Router allows Command Injection.

11 Oct 2023
7.2
CVSS
CVE-2023-26318HIGH

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Xiaomi Xiaomi Router allows Overflow Buffers.

11 Oct 2023
7.2
CVSS
CVE-2023-26317CRITICAL

Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing.

2 Aug 2023
9.8
CVSS
CVE-2023-26316MEDIUM

A XSS vulnerability exists in the Xiaomi cloud service Application product. The vulnerability is caused by Webview's whitelist checking function allowing javascript protocol to be loaded and can be exploited by attackers to steal Xiaomi cloud service account's cookies.

2 Aug 2023
6.1
CVSS
CVE-2020-14140HIGH

When Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection.

29 Mar 2023
7.5
CVSS
CVE-2020-14131CRITICAL

The Xiaomi Security Center expresses heartfelt thanks to ADLab of VenusTech ! At the same time, we also welcome more outstanding and professional security experts and security teams to join the Mi Security Center (MiSRC) to jointly ensure the safe access of millions of Xiaomi users worldwide Life.

11 Oct 2022
9.8
CVSS
CVE-2020-14129CRITICAL

A logic vulnerability exists in a Xiaomi product. The vulnerability is caused by an identity verification failure, which can be exploited by an attacker who can obtain a brief elevation of privilege.

11 Oct 2022
9.8
CVSS
CVE-2020-14126HIGH

Information leakage vulnerability exists in the Mi Sound APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information.

22 Jul 2022
7.5
CVSS
CVE-2020-14114HIGH

information leakage vulnerability exists in the Xiaomi SmartHome APP. This vulnerability is caused by illegal calls of some sensitive JS interfaces, which can be exploited by attackers to leak sensitive information.

22 Jul 2022
7.5
CVSS
CVE-2020-14127HIGH

A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by heap overflow and can be exploited by attackers to make remote denial of service.

14 Jul 2022
7.5
CVSS
CVE-2022-31277HIGH

Xiaomi Lamp 1 v2.0.4_0066 was discovered to be vulnerable to replay attacks. This allows attackers to to bypass the expected access restrictions and gain control of the switch and other functions via a crafted POST request.

16 Jun 2022
8.8
CVSS
CVE-2020-14125HIGH

A denial of service vulnerability exists in some Xiaomi models of phones. The vulnerability is caused by out-of-bound read/write and can be exploited by attackers to make denial of service.

8 Jun 2022
7.5
CVSS
CVE-2018-6065KEVHIGHin the wild

Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

8 Jun 2022
8.8
CVSS
CVE-2020-14123HIGH

There is a pointer double free vulnerability in Some MIUI Services. When a function is called, the memory pointer is copied to two function modules, and an attacker can cause the pointer to be repeatedly released through malicious operations, resulting in the affected module crashing and affecting normal functionality, and if successfully exploited the vulnerability can cause elevation of privileges.

22 Apr 2022
7.5
CVSS
CVE-2020-14122MEDIUM

Some Xiaomi phones have information leakage vulnerabilities, and some of them may be able to forge a specific identity due to the lack of parameter verification, resulting in user information leakage.

21 Apr 2022
5.5
CVSS
CVE-2020-14121MEDIUM

A business logic vulnerability exists in Mi App Store. The vulnerability is caused by incomplete permission checks of the products being bypassed, and an attacker can exploit the vulnerability to perform a local silent installation.

21 Apr 2022
5.5
CVSS
CVE-2020-14120HIGH

Some Xiaomi models have a vulnerability in a certain application. The vulnerability is caused by the lack of checksum when using a three-party application to pass in parameters, and attackers can induce users to install a malicious app and use the vulnerability to achieve elevated privileges, making the normal services of the system affected.

21 Apr 2022
8.8
CVSS
CVE-2020-14118MEDIUM

An intent redirection vulnerability in the Mi App Store product. This vulnerability is caused by the Mi App Store does not verify the validity of the incoming data, can cause the app store to automatically download and install apps.

21 Apr 2022
6.1
CVSS
CVE-2020-14117MEDIUM

A improper permission configuration vulnerability in Xiaomi Content Center APP. This vulnerability is caused by the lack of correct permission verification in the Xiaomi content center APP, and attackers can use this vulnerability to invoke the sensitive component functions of the Xiaomi content center APP.

21 Apr 2022
5.3
CVSS
CVE-2020-14116HIGH

An intent redirection vulnerability in the Mi Browser product. This vulnerability is caused by the Mi Browser does not verify the validity of the incoming data. Attackers can perform sensitive operations by exploiting this.

21 Apr 2022
7.5
CVSS
CVE-2020-14115CRITICAL

A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code.

10 Mar 2022
9.8
CVSS
CVE-2020-14112MEDIUM

Information Leak Vulnerability exists in the Xiaomi Router AX6000. The vulnerability is caused by incorrect routing configuration. Attackers can exploit this vulnerability to download part of the files in Xiaomi Router AX6000.

10 Mar 2022
5.3
CVSS
CVE-2020-14111HIGH

A command injection vulnerability exists in the Xiaomi Router AX3600. The vulnerability is caused by a lack of inspection for incoming data detection. Attackers can exploit this vulnerability to execute code.

10 Mar 2022
7.8
CVSS
CVE-2020-14110HIGH

AX3600 router sensitive information leaked.There is an unauthorized interface through luci to obtain sensitive information and log in to the web background.

18 Jan 2022
7.8
CVSS
CVE-2020-14107HIGH

A stack overflow in the HTTP server of Cast can be exploited to make the app crash in LAN.

18 Jan 2022
7.5
CVSS
CVE-2020-14124CRITICAL

There is a buffer overflow in librsa.so called by getwifipwdurl interface, resulting in code execution on Xiaomi router AX3600 with ROM version =rom< 1.1.12.

16 Sep 2021
9.8
CVSS
CVE-2020-14119CRITICAL

There is command injection in the addMeshNode interface of xqnetwork.lua, which leads to command execution under administrator authority on Xiaomi router AX3600 with rom versionrom< 1.1.12

16 Sep 2021
9.8
CVSS
CVE-2020-14130MEDIUM

Some js interfaces in the Xiaomi community were exposed, causing sensitive functions to be maliciously called on Xiaomi community app Affected Version <3.0.210809

16 Sep 2021
5.3
CVSS
CVE-2020-14109HIGH

There is command injection in the meshd program in the routing system, resulting in command execution under administrator authority on Xiaomi router AX3600 with ROM version =< 1.1.12

16 Sep 2021
7.2
CVSS
CVE-2021-31610MEDIUM

The Bluetooth Classic implementation on AB32VG1 devices does not properly handle the reception of continuous unsolicited LMP responses, allowing attackers in radio range to trigger a denial of service (either restart or deadlock the device) by flooding a device with LMP_AU_rand data.

7 Sep 2021
6.5
CVSS
CVE-2020-14105MEDIUM

The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15.

20 Apr 2021
5.5
CVSS
CVE-2020-14106MEDIUM

The application in the mobile phone can unauthorized access to the list of running processes in the mobile phone, Xiaomi Mobile Phone MIUI < 2021.01.26.

9 Apr 2021
5.5
CVSS
CVE-2020-14103MEDIUM

The application in the mobile phone can read the SNO information of the device, Xiaomi 10 MIUI < 2020.01.15.

9 Apr 2021
5.5
CVSS
CVE-2020-14104HIGH

A RACE CONDITION on XQBACKUP causes a decompression path error on Xiaomi router AX3600 with ROM version =1.0.50.

8 Apr 2021
8.1
CVSS
CVE-2020-14099HIGH

On Xiaomi router AX1800 rom version < 1.0.336 and RM1800 root version < 1.0.26, the encryption scheme for a user's backup files uses hard-coded keys, which can expose sensitive information such as a user's password.

8 Apr 2021
7.5
CVSS
CVE-2020-14102HIGH

There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.

14 Jan 2021
7.2
CVSS
CVE-2020-14101HIGH

The data collection SDK of the router web management interface caused the leakage of the token. This affects Xiaomi router AX1800rom version < 1.0.336 and Xiaomi route RM1800 root version < 1.0.26.

14 Jan 2021
7.5
CVSS
← PrevPage 1 / 3Next →