Cyber Resilience

CVE-2023-26315

MediumRCE

Published: 26 August 2024

Published
26 August 2024
Modified
08 October 2024
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.6750 98.6th percentile
Risk Priority 53 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-26315 is a medium-severity OS Command Injection (CWE-78) vulnerability in Mi Ax9000 Firmware. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 1.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The Xiaomi router AX9000 contains a post-authentication command injection vulnerability tracked as CVE-2023-26315. The flaw stems from missing input filtering and is classified under CWE-78 and CWE-77. It affects the device firmware and carries a CVSS 3.1 score of 6.5 with the vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H.

An attacker who has already obtained administrative credentials can supply crafted input over the network to execute arbitrary commands. Successful exploitation grants root-level access to the router, enabling full control over device configuration and traffic.

Xiaomi has published an advisory that addresses the issue at https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=546. The current EPSS score of 0.6750 has remained flat at its recorded peak, indicating sustained but not newly emerging exploitation interest.

EU & UK References

Vulnerability details

The Xiaomi router AX9000 has a post-authentication command injection vulnerability. This vulnerability is caused by the lack of input filtering, allowing an attacker to exploit it to obtain root access to the device.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mi
ax9000 firmware
1.0.0 — 1.0.174

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References