CVE-2019-18371

HIGH EXPLOITED NUCLEI

Millet Router 3G Firmware < 2.28.23 - Unauthenticated Path Traversal via NGINX Alias Misconfiguration

Title source: llm

Exploitation Summary

CVE-2019-18371 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including UltramanGaia, AjayMT6. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains functional exploit code for CVE-2019-18371, demonstrating arbitrary file read and remote command execution vulnerabilities in Xiaomi Mi WiFi R3G routers. The PoC includes detailed technical analysis and operational exploit scripts.

Description

An issue was discovered on Xiaomi Mi WiFi R3G devices before 2.28.23-stable. There is a directory traversal vulnerability to read arbitrary files via a misconfigured NGINX alias, as demonstrated by api-third-party/download/extdisks../etc/config/account. With this vulnerability, the attacker can bypass authentication.

Exploits (2)

nomisec WORKING POC 186 stars

by UltramanGaia · remote

https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2019-18371, demonstrating arbitrary file read and remote command execution vulnerabilities in Xiaomi Mi WiFi R3G routers. The PoC includes detailed technical analysis and operational exploit scripts.

Classification

Working Poc 100%

Attack Type

Rce | Info Leak | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Xiaomi Mi WiFi R3G before version stable 2.28.23

No auth needed

Prerequisites: Network access to the vulnerable router · Router running a vulnerable firmware version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1005 - Data from Local System

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec WORKING POC

by AjayMT6 · poc

https://github.com/AjayMT6/UltramanGaia

View Code ZIP pw:eip

The repository contains functional exploit code for CVE-2019-18371, demonstrating an arbitrary file read vulnerability and remote command execution in Xiaomi Mi WiFi R3G routers. The PoC leverages a misconfigured NGINX alias for directory traversal and a command injection flaw in speed test functionality.

Classification

Working Poc 95%

Attack Type

Rce | Info Leak | Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Xiaomi Mi WiFi R3G before version stable 2.28.23

No auth needed

Prerequisites: Network access to the vulnerable router · Router running a vulnerable firmware version

MITRE ATT&CK

T1005 - Data from Local System T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 19, 2026 Full analysis →

Nuclei Templates (1)

Xiaomi Mi WiFi R3G Routers - Local file Inclusion

HIGHby ritikchaddha

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/UltramanGaia/Xiaomi_Mi_WiFi_R3G_Vulnerability_POC/blob/master/arbitrary_file_read_vulnerability.py

View Exploit ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.5543

EPSS Percentile 98.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2025-01-02

CWE

CWE-22

Status published

Products (1)

mi/millet_router_3g_firmware < 2.28.23

Published Oct 23, 2019

Tracked Since Feb 18, 2026