CRITICALCVE-2024-45347CVSS 9.6

CVE-2024-45347: Unauthorized Access in Xiaomi Mi Connect Service

Platform

android

Component

xiaomi-mi-connect-service

Fixed in

3.1.896

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2024-45347 describes an unauthorized access vulnerability discovered in the Xiaomi Mi Connect Service application. This flaw allows attackers to bypass validation checks and potentially gain access to a victim's device without proper authorization. The vulnerability impacts versions 3.1.895.10–3.1.895.10 of the application, and a fix is available in version 3.1.896.

Impact and Attack Scenarios

The impact of CVE-2024-45347 is significant due to the potential for unauthorized device access. An attacker exploiting this vulnerability could potentially access sensitive data stored on the device, including personal information, contacts, and potentially control connected smart home devices managed through the Mi Connect Service. The scope of access would depend on the permissions granted to the Mi Connect Service application on the victim's device. Successful exploitation could lead to privacy breaches, data theft, and potentially even device compromise.

Exploitation Context

CVE-2024-45347 was published on 2025-06-23. The vulnerability's CRITICAL CVSS score indicates a high probability of exploitation. Public proof-of-concept (POC) code is currently unavailable, but the severity suggests that attackers may actively seek to exploit this vulnerability. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureMedium

EPSS

0.05% (17% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentxiaomi-mi-connect-service

VendorXiaomi

Affected rangeFixed in

Xiaomi Mi Connect Service3.1.895.10 – Xiaomi Mi Connect Service3.1.895.103.1.896

Weakness Classification (CWE)

CWE-287

Timeline

Reserved2024-08-28
Published2025-06-23
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-45347 is to immediately upgrade the Xiaomi Mi Connect Service application to version 3.1.896 or later. Users should ensure automatic updates are enabled to receive the fix promptly. As a temporary workaround, users can restrict the permissions granted to the Mi Connect Service application to minimize the potential impact of a successful attack. Regularly review app permissions and revoke any unnecessary access.

How to fix

Update the Mi Connect Service APP to the latest version available in the app store. This will resolve the unauthorized access vulnerability. Refer to the Xiaomi security bulletin for more details.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-45347 — Unauthorized Access in Xiaomi Mi Connect Service?

CVE-2024-45347 is a CRITICAL vulnerability in Xiaomi Mi Connect Service allowing unauthorized access due to flawed validation logic. It affects versions 3.1.895.10–3.1.895.10.

Am I affected by CVE-2024-45347 in Xiaomi Mi Connect Service?

You are affected if you are using Xiaomi Mi Connect Service version 3.1.895.10–3.1.895.10 and have not upgraded.

How do I fix CVE-2024-45347 in Xiaomi Mi Connect Service?

Upgrade Xiaomi Mi Connect Service to version 3.1.896 or later. Enable automatic updates to ensure you receive the fix promptly.

Is CVE-2024-45347 being actively exploited?

While no public exploits are currently available, the CRITICAL severity suggests a high likelihood of active exploitation.

Where can I find the official Xiaomi advisory for CVE-2024-45347?

Refer to the official Xiaomi security advisory for details and updates regarding CVE-2024-45347.

NextGuard

Vulnerabilities

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Android / Gradle

Detect this CVE in your project

Upload your build.gradle file and we'll tell you instantly if you're affected.

Scan free

Search CVEs

Upload build.gradle

What do these metrics mean?

Attack Vector: Adjacent — requires network proximity: same LAN, Bluetooth, or local wireless segment. Not internet-exposed.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: None — unauthenticated. No login or credentials needed to exploit.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity: High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability: High — complete crash or resource exhaustion. Full denial of service.