Unauthenticated API Reveals WIFI Password and Enables Command Injection in Xiaomi Router Firmware Update (2020)

Unauthenticated API Reveals WIFI Password and Enables Command Injection in Xiaomi Router Firmware Update (2020)

CVE-2020-14140 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

When Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection.

Learn more about our Api Penetration Testing.