Details of VAR-202308-4314

ID

VAR-202308-4314

CVE

CVE-2023-26317

TITLE

mi of xiaomi router Command injection vulnerability in firmware

Trust: 0.8

sources: JVNDB: JVNDB-2023-021014

DESCRIPTION

Xiaomi routers have an external interface that can lead to command injection. The vulnerability is caused by lax filtering of responses from external interfaces. Attackers can exploit this vulnerability to gain access to the router by hijacking the ISP or upper-layer routing. mi of xiaomi router Firmware contains a command injection vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. Xiaomi router is a series of wireless routers from Xiaomi, a Chinese company

Trust: 2.16

sources: NVD: CVE-2023-26317 // JVNDB: JVNDB-2023-021014 // CNVD: CNVD-2025-06298

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-06298

AFFECTED PRODUCTS

vendor:	mi	model:	xiaomi router	scope:	lt	version:	2023.2	Trust: 1.0
vendor:	mi	model:	xiaomi router	scope:	eq	version:	-	Trust: 0.8
vendor:	mi	model:	xiaomi router	scope:	eq	version:	xiaomi router firmware 2023.2	Trust: 0.8
vendor:	mi	model:	xiaomi router	scope:	-	version:	-	Trust: 0.8
vendor:	xiaomi	model:	router	scope:	lt	version:	2023.2	Trust: 0.6

sources: CNVD: CNVD-2025-06298 // JVNDB: JVNDB-2023-021014 // NVD: CVE-2023-26317

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2023-26317
value:	CRITICAL
Trust: 1.0
security@xiaomi.com:	CVE-2023-26317
value:	HIGH
Trust: 1.0
NVD:	CVE-2023-26317
value:	CRITICAL
Trust: 0.8
CNVD:	CNVD-2025-06298
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-06298
severity:	MEDIUM
baseScore:	6.6
vectorString:	AV:N/AC:H/AU:N/C:P/I:C/A:P
accessVector:	NETWORK
accessComplexity:	HIGH
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	COMPLETE
availabilityImpact:	PARTIAL
exploitabilityScore:	4.9
impactScore:	8.5
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2023-26317
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
security@xiaomi.com:	CVE-2023-26317
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	LOW
exploitabilityScore:	2.2
impactScore:	4.7
version:	3.1
Trust: 1.0
NVD:	CVE-2023-26317
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2025-06298 // JVNDB: JVNDB-2023-021014 // NVD: CVE-2023-26317 // NVD: CVE-2023-26317

PROBLEMTYPE DATA

problemtype:	CWE-77	Trust: 1.0
problemtype:	CWE-78	Trust: 1.0
problemtype:	Command injection (CWE-77) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2023-021014 // NVD: CVE-2023-26317

PATCH

title:

Patch for Xiaomi router command execution vulnerability (CNVD-2025-06298)

url:

https://www.cnvd.org.cn/patchInfo/show/674516

Trust: 0.6

sources: CNVD: CNVD-2025-06298

EXTERNAL IDS

db:	NVD	id:	CVE-2023-26317	Trust: 3.2
db:	JVNDB	id:	JVNDB-2023-021014	Trust: 0.8
db:	CNVD	id:	CNVD-2025-06298	Trust: 0.6

sources: CNVD: CNVD-2025-06298 // JVNDB: JVNDB-2023-021014 // NVD: CVE-2023-26317

REFERENCES

url:	https://trust.mi.com/zh-cn/misrc/bulletins/advisory?cveid=529	Trust: 1.8
url:	https://nvd.nist.gov/vuln/detail/cve-2023-26317	Trust: 1.4

sources: CNVD: CNVD-2025-06298 // JVNDB: JVNDB-2023-021014 // NVD: CVE-2023-26317

SOURCES

db:	CNVD	id:	CNVD-2025-06298
db:	JVNDB	id:	JVNDB-2023-021014
db:	NVD	id:	CVE-2023-26317

LAST UPDATE DATE

2025-04-03T22:36:34.735000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2025-06298	date:	2025-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2023-021014	date:	2024-01-18T05:47:00
db:	NVD	id:	CVE-2023-26317	date:	2024-10-08T10:15:03.907

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2025-06298	date:	2025-04-02T00:00:00
db:	JVNDB	id:	JVNDB-2023-021014	date:	2024-01-18T00:00:00
db:	NVD	id:	CVE-2023-26317	date:	2023-08-02T14:15:10.407