CVE-2018-14010

high-risk

Published 2018-07-15

OS command injection in the guest Wi-Fi settings feature in /cgi-bin/luci on Xiaomi R3P before 2.14.5, R3C before 2.12.15, R3 before 2.22.15, and R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.

Do I need to act?

10.8% chance of exploitation in next 30 days

EPSS score — higher than 89% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (4)

Xiaomi R3P Firmware

Xiaomi R3C Firmware

Xiaomi R3D Firmware

Xiaomi R3

Affected Vendors

References (4)

Third Party Advisory http://www.cnvd.org.cn/flaw/show/CNVD-2018-04521

Exploit https://github.com/cc-crack/router/blob/master/CNVD-2018-04521.py

Third Party Advisory http://www.cnvd.org.cn/flaw/show/CNVD-2018-04521

Exploit https://github.com/cc-crack/router/blob/master/CNVD-2018-04521.py

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 11/34 · Low

Exposure 10/34 · Low