Vulnerabilities > MI > Critical
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-13 | CVE-2020-14102 | Command Injection vulnerability in MI Ax1800 Firmware and Rm1800 Firmware There is command injection when ddns processes the hostname, which causes the administrator user to obtain the root privilege of the router. | 9.0 |
| 2020-09-11 | CVE-2020-14100 | Improper Privilege Management vulnerability in MI R3600 Firmware In Xiaomi router R3600 ROM version<1.0.66, filters in the set_WAN6 interface can be bypassed, causing remote code execution. | 10.0 |
| 2018-11-27 | CVE-2018-16130 | OS Command Injection vulnerability in MI Miwifi OS 2.22.15 System command injection in request_mitv in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute arbitrary system commands via the "payload" URL parameter. | 9.0 |
| 2018-11-27 | CVE-2018-13023 | OS Command Injection vulnerability in MI Miwifi OS 2.22.15 System command injection vulnerability in wifi_access in Xiaomi Mi Router 3 version 2.22.15 allows attackers to execute system commands via the "timeout" URL parameter. | 9.0 |
| 2018-07-15 | CVE-2018-14060 | OS Command Injection vulnerability in MI Xiaomi R3D Firmware OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data. | 10.0 |
| 2018-07-15 | CVE-2018-14010 | OS Command Injection vulnerability in MI products OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data. | 10.0 |