Cyber Posture

CVE-2026-29515

CriticalPublic PoCUpdated
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: affectedMobNetwork: not affectedNetApplication: not affectedAppOther: not affectedOth

Published: 11 March 2026

Published
11 March 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29515 is a critical-severity Incorrect Implementation of Authentication Algorithm (CWE-303) vulnerability in Xiaomi Fileexplorer. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-1 Policy and Procedures
addresses: CWE-862

Requiring an access control policy ensures authorization checks are defined and applied for critical functions.

AC-13 Supervision and Review — Access Control
addresses: CWE-862

Reviews of access controls detect missing authorization checks on critical functions or resources.

AC-14 Permitted Actions Without Identification or Authentication
addresses: CWE-862

Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.

AC-16 Security and Privacy Attributes
addresses: CWE-862

Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.

AC-17 Remote Access
addresses: CWE-862

Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.

AC-18 Wireless Access
addresses: CWE-862

Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.

AC-19 Access Control for Mobile Devices
addresses: CWE-862

The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.

AC-2 Account Management
addresses: CWE-862

Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.

NVD Description

MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants…

more

access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-303CWE-862

Affected Products

xiaomi
fileexplorer
all versions

CVEs Like This One

CVE-2024-10591Shared CWE-862
CVE-2026-26741Shared CWE-862
CVE-2026-4100Shared CWE-862
CVE-2026-3524Shared CWE-862
CVE-2024-13232Shared CWE-862
CVE-2026-28446Shared CWE-303
CVE-2024-13677Shared CWE-862
CVE-2024-11423Shared CWE-862
CVE-2026-24534Shared CWE-862
CVE-2026-27181Shared CWE-862

References