CVE-2019-18370 – This CVE describes a critical command injection... (How to Fix)

Q: What is the severity of CVE-2019-18370?

CVE-2019-18370 has a CVSS score of 9.8 (CRITICAL). This CVE describes a critical command injection vulnerability in Xiaomi Mi WiFi R3G routers that allows remote attackers to execute arbitrary commands with root privileges. The vulnerability exists in the speed test functionality that reads from a user-controlled XML file, enabling unauthenticated remote code execution. All users of affected Xiaomi Mi WiFi R3G devices running firmware before version 2.28.23-stable are at risk.

📋 TL;DR

This CVE describes a critical command injection vulnerability in Xiaomi Mi WiFi R3G routers that allows remote attackers to execute arbitrary commands with root privileges. The vulnerability exists in the speed test functionality that reads from a user-controlled XML file, enabling unauthenticated remote code execution. All users of affected Xiaomi Mi WiFi R3G devices running firmware before version 2.28.23-stable are at risk.

💻 Affected Systems

Products:

Xiaomi Mi WiFi R3G

Versions: All versions before 2.28.23-stable

Operating Systems: Embedded Linux (OpenWrt-based)

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerable speed test functionality is enabled by default. The backup file upload feature combined with tar extraction creates additional attack vectors.

📦 What is this software?

Millet Router 3g Firmware by Mi

View all CVEs affecting Millet Router 3g Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to install persistent backdoors, intercept all network traffic, pivot to internal networks, and use the device for botnet activities.

🟠

Likely Case

Remote attacker gains root shell access to the router, enabling traffic interception, DNS hijacking, credential theft, and lateral movement to connected devices.

🟢

If Mitigated

Limited impact with proper network segmentation and firewall rules preventing external access to vulnerable services.

🌐 Internet-Facing: HIGH - The vulnerable API endpoint is accessible from WAN interface by default, allowing remote exploitation without authentication.

🏢 Internal Only: HIGH - Even if WAN access is blocked, any compromised internal device can exploit this vulnerability to gain router control.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts exist that demonstrate reliable remote code execution. The vulnerability is trivial to exploit with basic scripting knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.28.23-stable and later

Vendor Advisory: https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=CVE-2019-18370

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to System Settings > Firmware Update. 3. Check for updates and install version 2.28.23-stable or later. 4. Reboot the router after update completes.

🔧 Temporary Workarounds

Block Vulnerable API Endpoint

linux

Add firewall rule to block access to the vulnerable /api/xqnetdetect/netspeed endpoint

iptables -A INPUT -p tcp --dport 80 -m string --string "/api/xqnetdetect/netspeed" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/api/xqnetdetect/netspeed" --algo bm -j DROP

Disable Remote Management

linux

Disable WAN access to router administration interface

uci set firewall.remote_management.enabled='0'
uci commit firewall
/etc/init.d/firewall restart

🧯 If You Can't Patch

Replace affected Xiaomi router with a different vendor's device
Place router behind a dedicated firewall that blocks all incoming traffic to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check if router responds to malicious payload at http://[router-ip]/api/xqnetdetect/netspeed with command injection. Use curl with payload: curl -X POST 'http://router-ip/api/xqnetdetect/netspeed' --data 'urls=;id;'

Check Version:

ssh root@router-ip 'cat /etc/openwrt_release | grep DISTRIB_RELEASE' or check web interface at System Status

Verify Fix Applied:

Attempt the same exploit after patching - should receive error or no command execution. Verify firmware version is 2.28.23-stable or higher.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /api/xqnetdetect/netspeed with shell metacharacters
Unexpected processes spawned from web server
Failed authentication attempts followed by successful command execution

Network Indicators:

HTTP POST requests containing shell commands (semicolons, pipes, backticks) to router port 80/443
Outbound connections from router to suspicious IPs post-exploit

SIEM Query:

source="router.log" AND (url="/api/xqnetdetect/netspeed" AND (data="*;*" OR data="*`*" OR data="*|*" OR data="*$(*"))

📊 Metadata

CVE ID: CVE-2019-18370

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: October 23, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/remote_command_execution_vulnerability.py Exploit,Third Party Advisory
https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/remote_command_execution_vulnerability.py Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18370, you might also want to check these: