CVE-2020-14120 – This vulnerability in some Xiaomi devices allow... (How to Fix)

Q: What is the severity of CVE-2020-14120?

CVE-2020-14120 has a CVSS score of 8.8 (HIGH). This vulnerability in some Xiaomi devices allows attackers to achieve privilege escalation by exploiting insufficient parameter validation in third-party applications. Attackers can trick users into installing malicious apps that exploit this flaw to gain elevated system privileges. This affects users of vulnerable Xiaomi smartphone models.

📋 TL;DR

This vulnerability in some Xiaomi devices allows attackers to achieve privilege escalation by exploiting insufficient parameter validation in third-party applications. Attackers can trick users into installing malicious apps that exploit this flaw to gain elevated system privileges. This affects users of vulnerable Xiaomi smartphone models.

💻 Affected Systems

Products:

Xiaomi smartphones (specific models not detailed in advisory)

Versions: Specific affected versions not detailed in advisory

Operating Systems: Android-based MIUI

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires user to install malicious third-party application. Exact affected models and versions not specified in available references.

📦 What is this software?

Miui by Mi

View all CVEs affecting Miui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining root privileges, allowing installation of persistent malware, data theft, and device takeover.

🟠

Likely Case

Limited privilege escalation allowing malicious apps to access restricted system functions and user data they shouldn't normally access.

🟢

If Mitigated

No impact if devices are patched or if users only install apps from trusted sources with proper security controls.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (installing malicious app) and knowledge of vulnerable parameter passing mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references

Vendor Advisory: https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=145

Restart Required: Yes

Instructions:

1. Check for system updates in device settings. 2. Install latest MIUI security update. 3. Restart device after update completes.

🔧 Temporary Workarounds

Restrict app installations

android

Only install applications from official Google Play Store or Xiaomi App Store

Enable app verification

android

Enable 'Verify apps' in security settings to scan for potentially harmful apps

🧯 If You Can't Patch

Only install applications from trusted official sources (Google Play Store, Xiaomi App Store)
Disable installation from unknown sources in device security settings

🔍 How to Verify

Check if Vulnerable:

Check MIUI version in Settings > About phone > MIUI version and compare with latest available version

Check Version:

Not applicable - check via device settings UI

Verify Fix Applied:

Verify device has latest security patch installed via Settings > About phone > Android security patch level

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts
Suspicious app installation events
Abnormal system service access

Network Indicators:

Connections to suspicious domains after app installation
Unexpected data exfiltration

SIEM Query:

Not applicable for mobile device detection

📊 Metadata

CVE ID: CVE-2020-14120

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-354

Published: April 21, 2022

Last Updated: November 21, 2024

🔗 References

https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=145 Vendor Advisory
https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=145 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14120, you might also want to check these: