External risk intelligence

MiCode FileExplorer FTP Authentication Bypass

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-29515

The vulnerability exists in an FTP server component. FTP services are frequently deployed as network-accessible interfaces for file transfer, making them commonly reachable in environments where such services are enabled and exposed to provide file access.

Authentication Bypass

Xiaomi Fileexplorer

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the FileExplorer's embedded FTP server allows unauthorized network access, bypassing authentication to list, read, write, and delete files. This open-source project is no longer supported.

  • Unauthenticated access to file server.
  • Matters due to bypass and unsupported software.
  • Confirm relevance; no explicit business impact.

Attack Path

How an attacker could exploit the issue

Attackers can bypass authentication in the embedded SwiFTP FTP server component of MiCode FileExplorer. This allows them to access the server without valid credentials, leading to unauthorized file operations.

  • Network access required.
  • PASS command handler bypasses login.
  • Unauthorized file listing, reading, writing, deleting.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in the embedded FTP server component could allow network attackers to bypass authentication and gain access to files exposed by the server. When supported by the advisory, this could enable listing, reading, writing, and deleting files without valid credentials.

  • Exposed files and data.
  • Network access bypassing authentication.
  • Unauthorized file manipulation.

Operational Fix

Recommended remediation, mitigation, and detection steps

The MiCode FileExplorer's embedded SwiFTP server component has a critical authentication bypass vulnerability, allowing unauthenticated network access. Since the project is end-of-life, direct vendor remediation is unlikely, shifting responsibility to internal teams to identify and mitigate exposure. Infrastructure or platform teams likely manage the deployment of this file-sharing component, requiring them to first confirm its presence and network reachability. Security teams should then assess the business criticality of any identified instances to prioritize remediation efforts, which may involve isolating the service, restricting access, or implementing compensating controls if patching is not feasible.

  • Confirm deployment, reachability, and ownership.
  • Verify business criticality and exposure.
  • Plan isolation or compensating controls.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is MiCode FileExplorer?

MiCode FileExplorer is an open-source file management application that historically allowed users to navigate and manage files on their devices. It includes an embedded SwiFTP component, which functions as an FTP server to enable network-based file transfers. Because this project has reached end-of-life, it no longer receives updates or support from the original developers.

How does CVE-2026-29515 affect the FTP server?

This vulnerability involves an authentication bypass, specifically categorized as improper implementation of authentication (CWE-303) and missing authorization (CWE-862). In this instance, the SwiFTP component fails to validate credentials during the login process. When an attacker sends a command to the server, the system unconditionally accepts the request, granting full access to read, write, or delete files without ever requiring a valid username or password.

What triggers this authentication bypass?

The bypass is triggered when an attacker connects to the FTP server over the network and interacts with the PASS command handler. The vulnerability is specific to the handling of these authentication commands. Importantly, simply having the application installed does not trigger the flaw; the FTP server component must be active and listening for network connections for an attacker to successfully execute the bypass.

Is my network environment at risk from this CVE?

If you are running MiCode FileExplorer, you should evaluate whether the FTP service is reachable. According to Halo Surface Signal, this vulnerability is classified as likely to be exposed because FTP services are often intentionally configured to be network-accessible for file sharing. Systems that expose this interface to the internet or to untrusted network segments are at the highest risk of unauthorized access.

What should I do if I use this software?

Since the software is no longer supported, you cannot expect a vendor patch. Your first step is to audit your environment to identify any systems running this component. If you find it, prioritize isolating the service from the network or disabling the FTP functionality entirely. If the service is necessary for operations, implement strict network-level controls or compensating security measures to restrict who can communicate with the FTP server.

References