TVE-2026-01: Xiaomi miIO Protocol Authentication Bypass

 2026-03-16  by Botond Hartmann  Xiaomi wifi camera smart 
An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a secure protocol design issue, which leads to authentication bypass in the proprietary Xiaomi miIO protocol. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure. Vulnerability Details For packets received in UDP port 54321, the miio_client binary verifies the MAC and then decrypts the received packet.

TVE-2026-02: Xiaomi miIO client cryptographically weak PRNG

 2026-03-16  by Botond Hartmann  Xiaomi wifi camera smart 
An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a use of cryptographically weak PRNG implementation issue, which leads to reliable prediction of cryptographic primitives used in the proprietary Xiaomi miIO protocol’s authentication and key agreement procedure. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure.

TVE-2026-03: Xiaomi miIO client heap buffer overflow

 2026-03-16  by Botond Hartmann  Xiaomi wifi camera smart 
An attacker sending a malformed miIO message over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a heap buffer overflow, which leads to remote code execution. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure. Vulnerability Details Due to a flaw in the design of the handshake sequence, it is possible to complete the setup flow without knowledge of the setup code by replaying certain values that the camera sends.