XiaomiCVE-2020-14140CVE-2020-14140
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
34.9%
When Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| mi | xiaomi_router_firmware | * | cpe:2.3:o:mi:xiaomi_router_firmware:*:*:*:*:*:*:*:* |
CNA Affected
[
{
"vendor": "n/a",
"product": "Xiaomi Multiple Devices",
"versions": [
{
"version": "Xiaomi Multiple Devices, firmware update time in 2020-2022",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
34.9%