cbcvebase.
CVE-2019-18371
published 2019-10-23

CVE-2019-18371: An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a…

PriorityP182high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
55.43%
98.9th percentile
An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.

Affected

1 ranges
VendorProductVersion rangeFixed in
mimillet_router_3g_firmware< 2.28.232.28.23

Detection & IOCsextracted from sources · hover to see the quote

url/api-third-party/download/extdisks../etc/passwd
path/api-third-party/download/extdisks../etc/config/account
  • Send an unauthenticated HTTP GET request to the path /api-third-party/download/extdisks../etc/passwd and check for a 200 response containing 'root:.*:0:0:' to confirm exploitation of the NGINX alias misconfiguration path traversal.
  • The traversal payload uses '../' embedded within the NGINX alias path segment 'extdisks' (i.e., 'extdisks../') to escape the aliased directory — look for this pattern in HTTP access logs on the router or upstream proxy.
  • No authentication header or cookie is required; the vulnerability allows authentication bypass, so any unauthenticated request hitting the /api-third-party/download/ endpoint with a traversal sequence is suspicious.
  • ·The vulnerability affects Xiaomi Mi WiFi R3G devices running firmware versions before 2.28.23-stable only; patched devices will not be exploitable.
  • ·The NGINX alias misconfiguration is the root cause; detection rules targeting the URL path pattern should account for URL-encoded variants of the traversal sequence (e.g., '%2e%2e') that may evade simple string matching.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.