CVE-2020-14140

EPSS 0.37%
Published 29.03.2023 20:15:07
Last modified 18.02.2025 18:15:09
Source security@xiaomi.com
Teams watchlist Login
Open Login

When Xiaomi router firmware is updated in 2020, there is an unauthenticated API that can reveal WIFI password vulnerability. This vulnerability is caused by the lack of access control policies on some API interfaces. Attackers can exploit this vulnerability to enter the background and execute background command injection.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Mi ≫ Xiaomi Router Firmware Version >= 2020 < 2023.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.37%	0.561

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=506

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-14140

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-14140

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-14140

EUVD