Published: 23/10/2019 Updated: 21/07/2021

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

An issue exists on Xiaomi Mi WiFi R3G devices prior to 2.28.23-stable. The backup file is in tar.gz format. After uploading, the application uses the tar zxf command to decompress, so one can control the contents of the files in the decompressed directory. In addition, the application's sh script for testing upload and download speeds reads a URL list from /tmp/speedtest_urls.xml, and there is a command injection vulnerability, as demonstrated by api/xqnetdetect/netspeed.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mi millet_router_3g_firmware

POC-EXP 漏洞备注 Drupal Drupalgeddon 2 远程代码执行漏洞（CVE-2018-7600）复现分析小米系列路由器漏洞（CVE-2019-18371/CVE-2019-18370）漏洞报告

Enables SSH without `miwifi_ssh.bin` for Xiaomi Mi WiFi 3G (R3G)

Xiami Router Patch Tested on: Xiaomi Mi Wi-Fi Router 3G (R3G) I'm sure this workaround can work on newer/others too I screwed up I bought too many Xiaomi Routers: nano, mini and some other monster I don't remember While all of them were a pleasure to setup with OpenWrt, Xiaomi decided to make it a hassle to do so with their newer devices And here is where my prob

CWE-78 https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/remote_command_execution_vulnerability.py https://nvd.nist.gov https://github.com/UltramanGaia/POC-EXP https://github.com/tomsiwik/xiaomi-router-patch

CVE-2019-18370

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect