CVE-2026-29515
Last modified
CVE-2026-29515 is a critical-severity vulnerability rated 9.3/10 on the CVSS scale. MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. EPSS estimates a 0.48% chance of exploitation in the next 30 days.
Description
MiCode FileExplorer contains an authentication bypass vulnerability in the embedded SwiFTP FTP server component that allows network attackers to log in without valid credentials. Attackers can send arbitrary username and password combinations to the PASS command handler, which unconditionally grants access and allows listing, reading, writing, and deleting files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Xiaomi | Fileexplorer | All versions |
References
- https://www.vulncheck.com/advisories/micode-fileexplorer-swiftp-server-authentication-bypassThird Party Advisory, VDB Entry
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-29515?
How severe is CVE-2026-29515?
How do I fix CVE-2026-29515?
Are you affected by CVE-2026-29515?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST