CVE-2020-11960 – This vulnerability in Xiaomi R3600 routers allo... (How to Fix)

Q: What is the severity of CVE-2020-11960?

CVE-2020-11960 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Xiaomi R3600 routers allows attackers to upload malicious backup files that can be extracted to arbitrary locations in the /tmp directory. This can lead to remote code execution or denial of service attacks. Only users with Xiaomi R3600 routers running ROM versions before 1.0.50 are affected.

📋 TL;DR

This vulnerability in Xiaomi R3600 routers allows attackers to upload malicious backup files that can be extracted to arbitrary locations in the /tmp directory. This can lead to remote code execution or denial of service attacks. Only users with Xiaomi R3600 routers running ROM versions before 1.0.50 are affected.

💻 Affected Systems

Products:

Xiaomi Router R3600

Versions: ROM versions before 1.0.50

Operating Systems: Router firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. The c_upload interface is typically accessible via web management interface.

📦 What is this software?

Xiaomi R3600 Firmware by Mi

View all CVEs affecting Xiaomi R3600 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attacker to take complete control of the router, intercept network traffic, pivot to internal networks, or create persistent backdoors.

🟠

Likely Case

Router compromise leading to network traffic interception, DNS hijacking, or denial of service by crashing router services.

🟢

If Mitigated

Limited impact if router is behind firewall with restricted WAN access and proper network segmentation.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices, and this vulnerability can be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - Could be exploited by malicious insiders or compromised internal devices.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious backup files and uploading via the vulnerable interface. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ROM version 1.0.50 or later

Vendor Advisory: https://privacy.mi.com/trust#/security/vulnerability-management/vulnerability-announcement/detail?id=15

Restart Required: Yes

Instructions:

1. Log into router web interface. 2. Navigate to System Settings > Firmware Update. 3. Check for updates and install version 1.0.50 or later. 4. Reboot router after update completes.

🔧 Temporary Workarounds

Disable remote management

all

Prevent external access to router management interface

Restrict management interface access

all

Limit access to router management interface to trusted IP addresses only

🧯 If You Can't Patch

Isolate router on separate VLAN with strict firewall rules
Disable all unnecessary services and interfaces on the router

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface: System Settings > Firmware Information

Check Version:

Not applicable - check via web interface

Verify Fix Applied:

Verify firmware version is 1.0.50 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to c_upload interface
Unexpected processes running from /tmp directory
Failed authentication attempts to management interface

Network Indicators:

Unusual outbound connections from router
Suspicious traffic patterns from router to internal systems

SIEM Query:

source="router_logs" AND (uri="*c_upload*" OR process="*/tmp/*")

📊 Metadata

CVE ID: CVE-2020-11960

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: June 24, 2020

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON