CVE-2023-26317

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-26317
Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing.

7.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact LOW

Scope UNCHANGED

References
Link Resource
https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=529 Vendor Advisory
https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=529 Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:o:mi:xiaomi_router_firmware:*:*:*:*:*:*:*:*
History

21 Nov 2024, 07:51

Type Values Removed Values Added
References () https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=529 - Vendor Advisory () https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=529 - Vendor Advisory
CVSS v2 : unknown
v3 : 9.8 		v2 : unknown
v3 : 7.0

08 Oct 2024, 10:15

Type Values Removed Values Added
Summary (en) A vulnerability has been discovered in Xiaomi routers that could allow command injection through an external interface. This vulnerability arises from inadequate filtering of responses returned from the external interface. Attackers could exploit this vulnerability by hijacking the ISP or an upper-layer router to gain privileges on the Xiaomi router. Successful exploitation of this flaw could permit remote code execution and complete compromise of the device. (en) Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing.
CWE CWE-78

07 Aug 2023, 16:18

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
First Time Mi
Mi xiaomi Router Firmware
CPE cpe:2.3:o:mi:xiaomi_router_firmware:*:*:*:*:*:*:*:*
CWE CWE-77
References (MISC) https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=529 - (MISC) https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=529 - Vendor Advisory

02 Aug 2023, 14:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-08-02 14:15

Updated : 2024-11-21 07:51

NVD link : CVE-2023-26317

Mitre link : CVE-2023-26317

CVE.ORG link : CVE-2023-26317

JSON object : View

Products Affected

mi

  • xiaomi_router_firmware
CWE
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')