CVE-2018-14847 winbox vulnerability

A cybersecurity researcher from Tenable Research has released a new proof-of-concept (PoC) RCE attack for an old directory traversal vulnerability that was found and patched within a day of its discovery in April this year, the new attack method found by Tenable Research exploits the same vulnerability, but takes it to one step ahead.

Since the original Winbox issue, identified as CVE-2018-14847, was already patched back in April, we urge all MikroTik users to upgrade their devices to any recently released version, and as a precaution also change their passwords and inspect their configuration for unknown entries.

Please note that all of the recently released CVE entries have been fixed in RouterOS for several months, none of the newly discussed issues affect current products. More information from Tenable. Original post about the fixed issue, later called CVE-2018-14847, including more suggestions.

In short:

  • Regardless of version used, all RouterOS versions that have the default firewall enabled, are not vulnerable
  • If user has manually disabled the default firewall, their device might be vulnerable to CVE-2018-14847, which was patched in April
  • Newly revealed exploit relies on the above, already patched issue
  • Please upgrade, change password and inspect configuration for irregularities