Skip to main content

Home Support

Security

Responsible disclosure of discovered vulnerabilities

It is important for us at MikroTik that our customers can feel safe and secure when using our products. We therefore constantly strive to achieve the highest possible security and quality. Despite this, an issue could be discovered, that affects our device security. If you have found such a security flaw, we would like to hear more about it to be able to correct the problem as soon as possible. We are thankful to you for taking the time to report to us weaknesses you discover, as long as you do so with adherence to the following responsible disclosure guidelines.

Vulnerabilities in RouterOS, that allow unauthorised users to gain access to the software administation tools
Vulnerabilities in our webpages that enable disclosure of non-public client information; enable a user to modify data that is not their own or could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data or which affects user privacy

Any vulnerabilities without a properly described evidence report of proof of possible exploitation
Vulnerabilities only affecting users of outdated or unpatched browsers and platforms (older than two major releases) or for users who have intentionally reduced security settings on their platform
Issues that arise from misconfiguration or misuse of equipment or software
Situations where equipment resources are used by user run tasks (eg. my CPU is being used when I run this command or my device is overloaded by network traffic)

Not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying (third party) data
Not reveal the problem to others until it has been resolved and MikroTik agrees on its disclosure
Never publicise any personal data that you have retrieved and delete all such information retrieved through the vulnerability
Not use attacks on physical security, social engineering, distributed denial of service (DoS and DDoS), spam or applications of third parties
Provide sufficient information to reproduce the problem so we will be able to resolve it as quickly as possible.

Your notification will be reviewed and if the problem will be discovered, you will be notified within 48 hours with acknowledgement of the issue
The issue will be fixed according to our internal processes
You will be notified that the issue is resolved, within 48 hours of the resolution
If you have followed the instructions above, we will not take any legal action against you in regard to the notification
We will not pass on your personal details described in notification to third parties without your permission (unless so required under the law and request by authorities)

Security Announcements

CVE-2024-54772 Feb 18, 2025
Issue Summary

A vulnerability has been identified in the WinBox service, where a discrepancy in response size between connection attempts with valid and invalid usernames allows attackers to confirm if user accounts exists via brute forcing the login process. In other words, when attacker tries to log into the device, by examining the response, the attacker can deduce if such a user exists on the device. Even if username is found, password still needs to be guessed as well.

Affected Versions

RouterOS versions prior to 6.49.18 and 7.18.

Recommended Actions

Update RouterOS – Upgrade to 6.49.18, 7.18, or a newer version to patch the vulnerability. Monitor for unusual login attempts – Review router logs for suspicious authentication activity and take action accordingly.

Mitigation strategies for devices that cannot be updated immediately

Restrict WinBox Access. Firewall the WinBox port on public interfaces and untrusted networks. Limit connections to trusted IP addresses using the “IP → Services” menu to specify allowed sources (e.g., your LAN and trusted public IPs).

Use additional protection methods if access from untrusted networks is necessary

Port Knocking: https://help.mikrotik.com/docs/spaces/ROS/pages/154042369/Port+knocking

Brute-Force Prevention: https://help.mikrotik.com/docs/spaces/ROS/pages/268337176/Bruteforce+prevention

Secure MAC-WinBox Connections: Restrict MAC-WinBox connections to trusted interfaces using:
```
/tool mac-server mac-winbox set allowed-interface-list=<trusted-interface-list>
```
If your device is running the default configuration with firewall enabled, WinBox service is already limited to LAN access. In this case, the only potential attack vector would be internal network threats.

For more details, please see:

https://help.mikrotik.com/docs/spaces/ROS/pages/167706788/Default+configurations

Contact us about vulnerabilities

security@mikrotik.com