CVE-2024-45352

HIGH

Xiaomi smarthome application 10.0.623 - Remote Code Execution

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-45352. PoCs published by Edwins907.

AI-analyzed exploit summary The repository provides a functional proof-of-concept for CVE-2024-45352, demonstrating unauthenticated remote code execution in Xiaomi Smarthome via a crafted API request. The PoC leverages improper input handling in the internal API parser to execute arbitrary commands.

Description

An code execution vulnerability exists in the Xiaomi smarthome application product. The vulnerability is caused by improper input validation and can be exploited by attackers to execute malicious code.

Exploits (3)

nomisec WORKING POC 1 stars
by Edwins907 · poc
https://github.com/Edwins907/-CVE-2024-45352

The repository provides a functional proof-of-concept for CVE-2024-45352, demonstrating unauthenticated remote code execution in Xiaomi Smarthome via a crafted API request. The PoC leverages improper input handling in the internal API parser to execute arbitrary commands.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Xiaomi Smarthome application
No auth needed
Prerequisites: Network access to the target device · Xiaomi Smarthome application running on the target
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec STUB
by Edwins907 · poc
https://github.com/Edwins907/CVE-2024-45352

The repository contains only a minimal README with a CVE title and no technical details, exploit code, or analysis. It appears to be a placeholder without substantive content.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Xiaomi (unspecified version)
No auth needed
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by Edwins907 · poc
https://github.com/Edwins907/xiaomi-cve-2024-45352

The repository contains a functional Proof of Concept (PoC) for CVE-2024-45352, demonstrating how a malicious app can exploit Xiaomi's default browser by passing unvalidated intents via `startActivity` to open arbitrary URLs. The PoC includes Java code to launch the browser with a malicious URL, highlighting the lack of intent validation.

Classification
Working Poc 90%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Xiaomi default browser (com.android.browser) on MIUI devices
No auth needed
Prerequisites: Malicious app installed on the target device
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.8
EPSS 0.0024
EPSS Percentile 14.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-346
Status published
Products (1)
Xiaomi/Xiaomi smarthome application Xiaomi smarthome application 10.0.623
Published Mar 27, 2025
Tracked Since Feb 18, 2026