CVE-2018-14060

Name of the Vulnerable Software and Affected Versions Xiaomi R3D versions prior to 2.26.4

Description The issue concerns an OS command injection in the AP mode settings feature. This is specifically related to the /cgi-bin/luci/api/misystem/set router wifiap endpoint, where an attacker can execute any command by sending crafted JSON data.

Recommendations For versions prior to 2.26.4, update to version 2.26.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the /cgi-bin/luci/api/misystem/set router wifiap endpoint to minimize the risk of exploitation.