CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-26317
https://notcve.org/view.php?id=CVE-2023-26317
A vulnerability has been discovered in Xiaomi routers that could allow command injection through an external interface. This vulnerability arises from inadequate filtering of responses returned from the external interface. Attackers could exploit this vulnerability by hijacking the ISP or an upper-layer router to gain privileges on the Xiaomi router. Successful exploitation of this flaw could permit remote code execution and complete compromise of the device. • https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=529 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14140
https://notcve.org/view.php?id=CVE-2020-14140
When Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection. • https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=506 • CWE-306: Missing Authentication for Critical Function •