A new CVE has been published, which describes a policy elevation issue, where a logged in administrator with “policy” permissions (able to grant additional permissions to any user on the router), is also able to send crafted configuration commands, that are exchanged internally by the router software components and normally are rejected when sent by a user. This can be used as a stepping stone to execute arbitrary code on the router, allowing the connected user to gain control of the underlying operating system upon which RouterOS runs.

To be able to use this discovered exploit, one would need administrative access to RouterOS, i.e. a known username and password, as well as a ways to connect (no firewall).

This is not the only way how a logged in administrator user with such a high access level (as required for this exploit) can compromise the router. Other possibilities include: saving, modifying and restoring configuration backup; installing additional software packages; using another device on the local network to perform network reinstall of the router to a known vulnerable version.

Thus, if the malicious party has full admin login to a router, this exploit provides little additional advantage. It is extremely important to make sure that the configuration interface of the router is protected by secure password and not accessible to untrusted parties.

Suggested course of action:

In short, a RouterOS admin with full rights can already do anything in RouterOS and has full control over all configuration, but should not be able to run other code or inject other files in the subsystem of RouterOS. This issue is fixed in all RouterOS releases available on our download page (v7.7 and v6.49.7 and newer).