A buffer overflow vulnerability has been discovered in MikroTik RouterOS 7, affecting the parse_json_element function within the libjson.so component. The vulnerability is triggered through the /rest/ip/address/print endpoint and can be exploited remotely. The exploit for this issue has been publicly disclosed and may be actively used.
Upgrading to RouterOS version 7.20.1 or 7.21beta2 mitigates this issue. The vendor has confirmed that a fix has been implemented and plans to release a RouterOS update containing the patch. Users should upgrade to the latest available version to ensure full protection.
MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall so REST API and management services are available only from trusted networks.
A cross-site scripting (XSS) vulnerability has been discovered in the hotspot functionality of MikroTik RouterOS, affecting versions below 7.19.2. An attacker can inject the javascript protocol via the dst parameter in a crafted URL. When a victim browses to this malicious URL and logs in through the hotspot page, the injected XSS payload executes in their browser.
Additionally, the POST request used for login can be converted to a GET request. This allows an attacker to craft a URL that automatically logs the victim into the attacker’s account and triggers the payload, requiring no interaction beyond visiting the link.
Users are advised to upgrade to RouterOS 7.20 or any later version to address this vulnerability.
MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall to protect router management services from untrusted networks; hotspot access should still be configured only as broadly as the deployment requires.
A misconfiguration in the default settings of MikroTik RouterOS 7 allows incoming IPv6 UDP traceroute packets, which could permit unauthorized network reconnaissance from external sources.
Users are advised to upgrade to RouterOS 6.49.13, 7.14, or any later version to address this vulnerability.
MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall to protect the device from traffic arriving from untrusted networks.
An improper access control vulnerability has been identified in MikroTik RouterOS, related to the handling of VXLAN source IP addresses. This flaw allows remote attackers to bypass access restrictions on affected installations without requiring authentication.
The specific issue exists within the processing of remote IP addresses during VXLAN traffic handling. The router fails to validate the remote IP address against configured values before allowing ingress traffic into the internal network. An attacker can exploit this lack of validation to gain unauthorized access to internal network resources. This vulnerability was tracked as ZDI-CAN-26415.
Users are advised to upgrade to RouterOS 7.20 or any later version to mitigate this vulnerability.
MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall to limit exposure from untrusted networks, including traffic to services or tunnel endpoints that should be reachable only from trusted peers.
A memory corruption vulnerability has been discovered in the SMB service of MikroTik RouterOS. Remote, unauthenticated attackers can exploit this issue by sending specially crafted packets to the SMB service, triggering a null pointer dereference. This results in a remote denial of service (DoS) condition, rendering the SMB service unavailable.
Users are advised to upgrade to the latest RouterOS 7.x stable release to address this vulnerability.
MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall so SMB and other device services are not reachable from untrusted networks.
Issue Summary
A vulnerability has been identified in the WinBox service, where a discrepancy in response size between connection attempts with valid and invalid usernames allows attackers to confirm if user accounts exists via brute forcing the login process. In other words, when attacker tries to log into the device, by examining the response, the attacker can deduce if such a user exists on the device. Even if username is found, password still needs to be guessed as well.
Affected Versions
RouterOS versions prior to 6.49.18 and 7.18.
Recommended Actions
Update RouterOS – Upgrade to 6.49.18, 7.18, or a newer version to patch the vulnerability. Monitor for unusual login attempts – Review router logs for suspicious authentication activity and take action accordingly. MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall so WinBox and other management services are not reachable from untrusted networks.
Mitigation strategies for devices that cannot be updated immediately
Restrict WinBox Access. Firewall the WinBox port on public interfaces and untrusted networks. Limit connections to trusted IP addresses using the “IP → Services” menu to specify allowed sources (e.g., your LAN and trusted public IPs).
Use additional protection methods if access from untrusted networks is necessary
Port Knocking: https://help.mikrotik.com/docs/spaces/ROS/pages/154042369/Port+knocking
Brute-Force Prevention: https://help.mikrotik.com/docs/spaces/ROS/pages/268337176/Bruteforce+prevention
Secure MAC-WinBox Connections: Restrict MAC-WinBox connections to trusted interfaces using:
/tool mac-server mac-winbox set allowed-interface-list=<trusted-interface-list>
If your device is running the default configuration with firewall enabled, WinBox service is already limited to LAN access. In this case, the only potential attack vector would be internal network threats.
For more details, please see:
https://help.mikrotik.com/docs/spaces/ROS/pages/167706788/Default+configurations
Contact us about vulnerabilities