Xiaomi App Vulnerability Allows Hackers to Gain Unauthorized Access to Devices

Xiaomi has disclosed a critical security vulnerability in its interoperability application that could allow attackers to gain unauthorized access to users’ devices.

The vulnerability, identified as CVE-2024-45347 with a severe CVSS score of 9.6, affects millions of Xiaomi device users worldwide and highlights ongoing concerns about mobile security in interconnected ecosystems.

The vulnerability, designated as MiSVD-2025-548 by Xiaomi’s security team, was officially disclosed on February 20, 2025.

The security vulnerability resides within Xiaomi’s interoperability application, a crucial component that enables seamless connectivity and data sharing between Xiaomi devices and services.

This application is widely deployed across Xiaomi’s ecosystem, making the vulnerability particularly concerning for the company’s extensive user base.

The root cause of the vulnerability lies in a fundamental vulnerability within the application’s verification logic system.

Security researchers discovered that this verification mechanism could be bypassed through specific attack vectors, effectively circumventing the security controls designed to protect user devices and data.

The bypass technique exploits weaknesses in how the application validates user credentials and device permissions, creating an avenue for malicious actors to gain elevated access privileges.

According to the vulnerability disclosure, attackers who successfully exploit this vulnerability can achieve unauthorized access to victim devices without requiring physical interaction or user consent.

This type of vulnerability is particularly dangerous as it operates at the application protocol level, potentially affecting the core security infrastructure that users rely on for device protection.

Xiaomi App Vulnerability

The technical analysis of this vulnerability reveals several critical aspects:

• Affected Product: Xiaomi Interconnection Application version 3.1.895.10, widely distributed across Xiaomi’s device ecosystem.
• Vulnerability Type: Defects in interoperability application protocols that create security gaps exploitable by remote attackers.
• CVSS Score Impact: The 9.6 rating indicates near-maximum risk level, reflecting potential for complete system compromise.
• Access Method: Unauthorized data access, device manipulation, and possible lateral movement within connected networks.
• Privilege Escalation: The application’s elevated permissions within Xiaomi’s ecosystem amplify the vulnerability’s impact.
• Ecosystem Risk: Vulnerabilities in interoperability protocols can affect entire connected ecosystems, not just individual devices.
• Lateral Movement Potential: Attackers may move between connected devices, accessing smart home systems and personal data.
• Remote Exploitation: The vulnerability can be exploited without physical access or direct user interaction.

Security experts note that vulnerabilities in interoperability protocols are particularly concerning because they can affect not just individual devices, but entire connected ecosystems.

When attackers gain access through these channels, they may be able to move laterally between connected devices, accessing smart home systems, personal data, and other sensitive information stored across the user’s Xiaomi ecosystem.

Remediation Efforts

Xiaomi has responded promptly to the vulnerability disclosure by releasing a patched version of the application.

Users are strongly advised to update to version 3.1.921.10 or later, which addresses the security vulnerability and restores proper verification logic functionality.

The company has implemented enhanced security controls in the updated version to prevent similar bypass techniques from being effective.

The vulnerability was discovered by Liu Xiaofeng, a security researcher from the School of Cyberspace Security at Shandong University.

Xiaomi’s Security Center has publicly acknowledged this contribution, emphasizing the importance of collaborative security research in identifying and addressing critical vulnerabilities before they can be exploited maliciously.

Xiaomi continues to encourage security researchers and experts to participate in their Vulnerability Disclosure Program (VDP) through the Xiaomi Security Response Center (MiSRC).

This program represents the company’s commitment to proactive security measures and community-driven vulnerability discovery, helping to protect hundreds of millions of Xiaomi users worldwide through coordinated disclosure and rapid remediation efforts.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.