Xiaomi router external request interface has command injection
CVE-2023-26317

7HIGH

Key Information:

Vendor: Xiaomi
Status: Xiaomi Router
Vendor: CVE Published:; 2 August 2023

What is CVE-2023-26317?

Xiaomi routers have a security flaw due to inadequate filtering of responses from their external interfaces. This command injection vulnerability enables attackers to manipulate router commands, potentially gaining unauthorized access by hijacking the Internet Service Provider (ISP) or utilizing upper-layer routing mechanisms.

Affected Version(s)

Xiaomi router Xiaomi Router Firmware version before 2023.2 <= 2023.2

References

https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 2, 2023
Vulnerability Reserved
Feb 22, 2023