CVE-2023-26321 – This path traversal vulnerability in Xiaomi Fil... (How to Fix)

Q: What is the severity of CVE-2023-26321?

CVE-2023-26321 has a CVSS score of 6.3 (MEDIUM). This path traversal vulnerability in Xiaomi File Manager allows attackers to write arbitrary files to sensitive locations by manipulating file paths. Attackers could potentially execute malicious code on affected devices. Users of Xiaomi File Manager international version are affected.

📋 TL;DR

This path traversal vulnerability in Xiaomi File Manager allows attackers to write arbitrary files to sensitive locations by manipulating file paths. Attackers could potentially execute malicious code on affected devices. Users of Xiaomi File Manager international version are affected.

💻 Affected Systems

Products:

Xiaomi File Manager (international version)

Versions: Specific vulnerable versions not specified in advisory

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects international versions of Xiaomi File Manager; Chinese versions may not be affected.

📦 What is this software?

File Manager by Mi

View all CVEs affecting File Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local file overwrite leading to application compromise, data corruption, or privilege escalation.

🟢

If Mitigated

Limited impact if proper file system permissions restrict write access to critical locations.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires attacker to have some level of access to trigger the file operation with malicious path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in advisory

Vendor Advisory: https://trust.mi.com/misrc/bulletins/advisory?cveId=541

Restart Required: Yes

Instructions:

1. Open Xiaomi App Store 2. Check for File Manager updates 3. Install latest version 4. Restart device

🔧 Temporary Workarounds

Disable File Manager

android

Temporarily disable the vulnerable application until patched

adb shell pm disable com.mi.android.globalFileexplorer

Restrict permissions

android

Remove storage permissions from File Manager app

adb shell pm revoke com.mi.android.globalFileexplorer android.permission.WRITE_EXTERNAL_STORAGE

🧯 If You Can't Patch

Isolate affected devices from network access
Implement application allowlisting to prevent unauthorized app execution

🔍 How to Verify

Check if Vulnerable:

Check File Manager version in Settings > Apps > File Manager > App info

Check Version:

adb shell dumpsys package com.mi.android.globalFileexplorer | grep versionName

Verify Fix Applied:

Verify updated version from Xiaomi App Store and check advisory for fixed version

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations in File Manager logs
Path traversal patterns in file access logs

Network Indicators:

Unexpected outbound connections from File Manager process

SIEM Query:

process_name:"com.mi.android.globalFileexplorer" AND (file_path:"../" OR file_path:"..\")

📊 Metadata

CVE ID: CVE-2023-26321

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: August 28, 2024

Last Updated: March 25, 2025

🔗 References

https://trust.mi.com/misrc/bulletins/advisory?cveId=541 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26321, you might also want to check these: