MikroTik RouterOS versions 7.1 through 7.11 contained an access control issue in the REST API. The issue applied to installations where the REST API was enabled and reachable, and could allow requests to be handled with incorrect access control.
This issue is fixed in RouterOS 7.12 and newer releases.
MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall so API and management services are available only from trusted networks.
Contact us about vulnerabilities