The Mobvoi Tichome Mini smart speaker is vulnerable to a critical remote command injection that allows unauthenticated attackers to gain root-level shell access via the network.

A shell command injection vulnerability exists in the way the device processes UDP datagrams. An unauthenticated remote attacker can send a specially crafted UDP packet to the device, triggering the execution of arbitrary shell commands with root-level privileges on the underlying operating system.

With a CVSS score of 9.8, this vulnerability is extremely severe. An attacker can gain full control of the device, listen to audio, pivot to other devices on the local network, or incorporate the speaker into a botnet. This represents a significant breach of privacy and a security risk to the network where the device is deployed.

Immediate Action: Apply the latest firmware update from Mobvoi to the Tichome Mini smart speaker immediately.

Proactive Monitoring: Monitor local network traffic for anomalous UDP traffic directed at smart speakers and audit for unexpected outbound connections from these devices.

Compensating Controls: Place IoT devices like smart speakers on a dedicated, isolated VLAN to prevent them from interacting with sensitive corporate or personal data systems.

Public Exploit Available: false

Users and administrators should immediately update their Mobvoi Tichome Mini devices. Given the potential for root-level access via the network, these devices should be strictly isolated from critical network segments until the patch is confirmed to be in place.