Xiaomi AX3600 is a router.A command injection vulnerability exists in the xqnetwork.lua addMeshNode interface, which is caused by insufficient parameter validation. An attacker could use this vulnerability to inject commands to execute with administrator privileges.