Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Mobvoi Tichome Mini smart speaker: Remote attackers can execute root-level commands
CVE-2026-26478
Summary
The Mobvoi Tichome Mini smart speakers (models 012-18853 and 027-58389) have a security weakness that could allow an attacker to remotely take control of the device. This could allow them to do things like change settings, access sensitive information, or even shut down the device. We recommend updating the device to the latest software available to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| mobvoi | tichome_mini_firmware | 012-18853 | – |
| mobvoi | tichome_mini_firmware | 027-58389 | – |
Original title
A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell cod...
Original description
A shell command injection vulnerability in Mobvoi Tichome Mini smart speaker 012-18853 and 027-58389 allows remote attackers to send a specially crafted UDP datagram and execute arbitrary shell code as the root account.
nvd CVSS3.1
9.8
Vulnerability type
CWE-78
OS Command Injection
- https://github.com/pastcompute/tichome-poc-1 Exploit Third Party Advisory
- https://web.archive.org/web/20171202094530/ Not Applicable
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026