CVE-2024-45347: Xiaomi Mi Connect Authentication Bypass

CVE-2024-45347 Overview

CVE-2024-45347 is an authentication flaw in the Xiaomi Mi Connect Service application. The vulnerability stems from flawed validation logic that allows attackers to gain unauthorized access to a victim's device. The weakness is classified under [CWE-287] Improper Authentication.

An attacker positioned on an adjacent network can exploit this issue without prior authentication and without user interaction. Successful exploitation impacts confidentiality, integrity, and availability of the connected device. Xiaomi published an advisory in its MI Security Response Center bulletin tracking this issue.

Critical Impact

Adjacent-network attackers can bypass authentication in Mi Connect Service to gain unauthorized control of a victim's device, with scope change extending impact beyond the vulnerable component.

Affected Products

• Xiaomi Mi Connect Service APP
• Devices paired or managed through Mi Connect Service
• Specific affected versions are listed in the MI Trust Security Advisory

Discovery Timeline

• 2025-06-23 - CVE-2024-45347 published to the National Vulnerability Database
• 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2024-45347

Vulnerability Analysis

The vulnerability resides in the authentication and authorization logic of the Xiaomi Mi Connect Service mobile application. Mi Connect Service brokers device pairing, discovery, and command relay between user accounts and Xiaomi-ecosystem devices. Because the validation logic for these operations is flawed, an attacker on the same adjacent network as a victim can issue requests that the service accepts as legitimate.

Successful exploitation grants unauthorized access to the victim's device. The scope change indicates that compromise of the Mi Connect Service component extends to controlled resources outside its direct security authority, such as paired smart-home or IoT devices. The Common Weakness Enumeration classification is [CWE-287], Improper Authentication.

No public proof-of-concept is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability remains low, indicating limited near-term exploitation prediction despite the high technical severity.

Root Cause

The root cause is improper validation of authentication or session state within Mi Connect Service request handling. The application accepts requests or session contexts without verifying that the requester is the legitimate device owner. This allows unauthenticated actors to perform privileged operations otherwise reserved for the bound user account.

Attack Vector

The attack requires adjacent-network access, such as the same Wi-Fi segment, Bluetooth proximity, or a shared local network where Mi Connect Service announces or accepts device-control traffic. The attacker sends crafted requests to the service that exploit the flawed validation logic. No credentials and no user interaction are required, and the attack complexity is low.

Verified exploitation code is not publicly available. Technical specifics of the request flow are documented in the MI Trust Security Advisory.

Detection Methods for CVE-2024-45347

Indicators of Compromise

• Unexpected device pairing events or new controller registrations in the Mi Home or Xiaomi account activity log
• Device state changes (power, lock, camera, sensor) originating from unfamiliar local network sources
• Unusual outbound traffic from mobile devices running Mi Connect Service to unknown LAN peers

Detection Strategies

• Monitor Mi Connect Service and Mi Home account logs for pairing, unpairing, and command events that lack a corresponding legitimate user action
• Inspect local network traffic for unauthenticated control-plane requests targeting Mi Connect Service ports on mobile endpoints
• Correlate device-control events against geolocation and time-of-day baselines for the account owner

Monitoring Recommendations

• Enable account-level notifications in the Mi Home / Xiaomi account for new device bindings and login events
• Audit guest Wi-Fi and IoT VLAN segments for unauthorized clients capable of reaching managed mobile devices
• Review router and access point logs for new or unrecognized devices joining the same broadcast domain as Xiaomi-managed phones

How to Mitigate CVE-2024-45347

Immediate Actions Required

• Update the Xiaomi Mi Connect Service application to the latest version available through Google Play or the Xiaomi GetApps store
• Apply pending updates to the Mi Home application and all paired Xiaomi-ecosystem devices
• Review bound devices in the Xiaomi account and remove any that are unrecognized

Patch Information

Xiaomi addressed the issue in updated builds of Mi Connect Service. Refer to the MI Trust Security Advisory for exact fixed version numbers and rollout details. Users should ensure auto-update is enabled for both Mi Connect Service and Mi Home.

Workarounds

• Place IoT and Xiaomi devices on a segregated VLAN or guest Wi-Fi network isolated from primary user devices to limit adjacent-network exposure
• Disable Mi Connect Service or revoke its network permissions on devices that do not require Xiaomi ecosystem integration until the patch is applied
• Avoid using Mi Connect Service on untrusted Wi-Fi networks such as public hotspots and shared corporate guest networks