CVE-2026-29515 Overview
MiCode FileExplorer contains a critical authentication bypass vulnerability in its embedded SwiFTP FTP server component. This flaw allows network-based attackers to log in without valid credentials by exploiting a logic error in the PASS command handler. Attackers can send arbitrary username and password combinations, and the server unconditionally grants access, enabling unauthorized listing, reading, writing, and deleting of files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status, meaning no official patches will be released.
Critical Impact
Network attackers can bypass authentication entirely and gain full read/write access to files exposed via the FTP server, potentially leading to data theft, modification, or deletion on affected devices.
Affected Products
- MiCode FileExplorer (all versions with embedded SwiFTP FTP server)
- SwiFTP FTP server component within FileExplorer
- Android devices running MiCode FileExplorer with FTP server feature enabled
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-29515 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29515
Vulnerability Analysis
This vulnerability is classified under CWE-303 (Incorrect Implementation of Authentication Algorithm), indicating a fundamental flaw in how the SwiFTP FTP server component validates user credentials. The authentication mechanism in the PASS command handler fails to properly verify submitted credentials against valid user accounts, instead unconditionally accepting any username and password combination.
The impact is severe for users who enable the FTP server feature within FileExplorer. Once authenticated (which requires no real credentials), attackers gain the ability to list directory contents, read sensitive files, write new files or overwrite existing ones, and delete files from the device. This could lead to exposure of personal data, installation of malicious files, or destruction of user data.
The end-of-life status of the MiCode/Explorer project compounds this issue, as no vendor-provided fix will be forthcoming. Users must discontinue use of the FTP server feature or migrate to an actively maintained alternative.
Root Cause
The root cause lies in the PASS command handler's implementation, which unconditionally grants access regardless of the credentials provided. Rather than comparing the submitted username and password against stored credentials and returning an authentication failure upon mismatch, the handler proceeds to grant access for any input. This represents a complete failure of the authentication control, effectively leaving the FTP server open to any network attacker.
Attack Vector
The attack can be executed remotely over the network by any attacker who can reach the FTP server port on an affected device. The exploitation process is straightforward:
- Attacker identifies a device running MiCode FileExplorer with the FTP server feature enabled
- Attacker connects to the FTP service on the exposed port
- Attacker issues USER command with any arbitrary username
- Attacker issues PASS command with any arbitrary password
- Server unconditionally grants access, bypassing all authentication
- Attacker now has full access to list, read, write, and delete files
This attack requires no user interaction and no authentication privileges. The technical details can be found in the VulnCheck Advisory.
Detection Methods for CVE-2026-29515
Indicators of Compromise
- Unexpected FTP connections to devices running MiCode FileExplorer
- FTP authentication logs showing successful logins with unusual or random usernames
- Unusual file access patterns, deletions, or modifications on devices with FTP server enabled
- Network traffic showing FTP protocol activity from unexpected source IP addresses
Detection Strategies
- Monitor network traffic for FTP connections (typically port 2121 or custom ports) to mobile devices
- Implement network-based intrusion detection rules for FTP brute-force patterns, noting that even single attempts may succeed
- Review device logs for FTP server activity if logging is enabled
- Deploy endpoint protection capable of monitoring mobile application network behavior
Monitoring Recommendations
- Configure network security monitoring to alert on any FTP server activity from mobile devices
- Implement egress filtering to identify unexpected FTP data transfers
- Use mobile device management (MDM) solutions to inventory applications and detect FileExplorer installations
- SentinelOne Singularity™ platform can provide visibility into mobile endpoint activity and detect anomalous network connections
How to Mitigate CVE-2026-29515
Immediate Actions Required
- Disable the FTP server feature in MiCode FileExplorer immediately
- Uninstall MiCode FileExplorer and migrate to an actively maintained file management application
- Block FTP traffic from mobile devices at the network perimeter
- Review device file systems for signs of unauthorized access or modification
- Ensure devices running FileExplorer are not exposed to untrusted networks
Patch Information
No official patch is available for this vulnerability. The MiCode/Explorer project has reached end-of-life status and is no longer maintained. Users are strongly advised to discontinue use of the affected application entirely. For additional details, refer to the GitHub FileExplorer Repository.
Workarounds
- Disable the SwiFTP FTP server feature within FileExplorer settings and use alternative file transfer methods
- Implement network segmentation to isolate devices running the vulnerable application
- Use firewall rules to block inbound connections to FTP ports on mobile devices
- Consider using VPN or other secure tunneling when file transfer functionality is required
- Deploy mobile threat defense solutions to monitor for exploitation attempts
# Network-level mitigation: Block FTP traffic from mobile device subnet
# Example iptables rule (adjust IP ranges as needed)
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 21 -j DROP
iptables -A FORWARD -p tcp -s 192.168.1.0/24 --dport 2121 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
