Vulnerabilities > CVE-2019-15913 - Authorization Bypass Through User-Controlled Key vulnerability in MI products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

CWE-639

NVD

Published: 2019-12-20

Updated: 2020-01-03

Summary

An issue was discovered on Xiaomi DGNWG03LM, ZNCZ03LM, MCCGQ01LM, WSDCGQ01LM, RTCGQ01LM devices. Because of insecure key transport in ZigBee communication, causing attackers to gain sensitive information and denial of service attack, take over smart home devices, and tamper with messages.

Vulnerable Configurations

Part	Description	Count
OS	Mi MI Dgnwg03Lm Firmware - MI Zncz03Lm Firmware - MI Mccgq01Lm Firmware - MI Wsdcgq01Lm Firmware - MI Rtcgq01Lm Firmware -	5
Hardware	Mi MI Dgnwg03Lm - MI Zncz03Lm - MI Mccgq01Lm - MI Wsdcgq01Lm - MI Rtcgq01Lm -	5

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://github.com/chengcheng227/CVE-POC/blob/master/CVE-2019-15913.md