The company - one of China's largest phone manufacturers - had a vulnerability stemming from the Guard Provider app, which was intended as a security feature with three antivirus programmes included to detect malware.
However, Check Point researchers Slava Makkaveev said on Thursday (04.04.19) that it introduced a flaw by getting its updates through an unsecured HTTP connection.
This meant that a potential attacker could - if they were on the same Wi-Fi network - inset malware in the updates through a "man-in-the-middle attack".
What it means is a rogue network is set up to look like the one you've connected to, and the victim's device is tricked into connecting.
The issue was raised with Xiaomi and the company - which uses antivirus scanners Avast, AVL and Tencent - claimed it had already worked on a patch to fix the flaw.
A spokeswoman for the phone maker said: "Xiaomi is aware of this and have already worked with our partner Avast to fix it."