Login Sign Up

CVE-2018-18698

9.8 CRITICAL

📋 TL;DR

This vulnerability exposes Wi-Fi hotspot passwords in cleartext within system logs on Xiaomi Mi A1 devices. Attackers with physical access or malware can extract these passwords, potentially compromising network security. Only Xiaomi Mi A1 devices with specific firmware versions are affected.

💻 Affected Systems

Products:
  • Xiaomi Mi A1 (tissot_sprout)
Versions: OPM1.171019.026/V9.6.4.0.ODHMIFE
Operating Systems: Android 8.1.0 (Oreo)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices when setting up as a Wi-Fi hotspot. Requires access to logcat output.

📦 What is this software?

Xiaomi Mi A1 Firmware by Mi

View all CVEs affecting Xiaomi Mi A1 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to the Wi-Fi network, enabling man-in-the-middle attacks, data interception, and lateral movement to connected devices.

🟠

Likely Case

Local attackers or malware with log access can extract Wi-Fi passwords, compromising network security and potentially exposing sensitive traffic.

🟢

If Mitigated

With proper logging controls and access restrictions, the risk is limited to authorized users who already have device access.

🌐 Internet-Facing: LOW - This requires local access to device logs or malware execution on the device.
🏢 Internal Only: MEDIUM - Internal attackers with physical access or malware can exploit this to compromise Wi-Fi networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to logcat output via ADB, physical access, or malware. Simple grep commands can extract passwords.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later firmware versions from Xiaomi

Vendor Advisory: Not publicly documented by Xiaomi

Restart Required: Yes

Instructions:

1. Update Xiaomi Mi A1 to latest firmware via Settings > System > System update. 2. Verify update installed. 3. Restart device.

🔧 Temporary Workarounds

Disable logging of sensitive data

android

Configure logcat to exclude sensitive information or disable debug logging in production

adb shell logcat -P ""
adb shell setprop log.tag.System WARN

Restrict log access

android

Limit access to logcat through Android permissions and disable USB debugging

adb shell pm revoke com.android.shell android.permission.READ_LOGS
Disable USB debugging in Developer options

🧯 If You Can't Patch

  • Avoid using Wi-Fi hotspot feature on affected devices
  • Implement network segmentation and monitor for unusual Wi-Fi connections

🔍 How to Verify

Check if Vulnerable:

1. Enable Wi-Fi hotspot on device. 2. Run: adb logcat | grep -i password. 3. Check if Wi-Fi password appears in cleartext.

Check Version:

adb shell getprop ro.build.version.incremental

Verify Fix Applied:

1. Update firmware. 2. Repeat vulnerable check. 3. Confirm password no longer appears in logs.

📡 Detection & Monitoring

Log Indicators:

  • Cleartext Wi-Fi passwords in logcat output
  • Sensitive data in Android system logs

Network Indicators:

  • Unauthorized devices connecting to Wi-Fi networks
  • Unusual authentication attempts

SIEM Query:

source="android_logcat" AND "password" AND "wifi"

📊 Metadata

CVE ID: CVE-2018-18698
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-522
Published: December 24, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-18698, you might also want to check these:

CVE-2024-51545 10.0

This CVE describes a username enumeration vulnerability in ABB industrial control system products th...

Same vulnerability type (CWE-522)
CVE-2021-30116 10.0

CVE-2021-30116 is an authentication bypass vulnerability in Kaseya VSA that allows unauthenticated a...

Same vulnerability type (CWE-522)
CVE-2025-0867 9.9

This vulnerability allows standard users to execute commands with administrative privileges through ...

Same vulnerability type (CWE-522)