An improper access control vulnerability has been identified in MikroTik RouterOS, related to the handling of VXLAN source IP addresses. This flaw allows remote attackers to bypass access restrictions on affected installations without requiring authentication.
The specific issue exists within the processing of remote IP addresses during VXLAN traffic handling. The router fails to validate the remote IP address against configured values before allowing ingress traffic into the internal network. An attacker can exploit this lack of validation to gain unauthorized access to internal network resources. This vulnerability was tracked as ZDI-CAN-26415.
Users are advised to upgrade to RouterOS 7.20 or any later version to mitigate this vulnerability.
MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall to limit exposure from untrusted networks, including traffic to services or tunnel endpoints that should be reachable only from trusted peers.
Contact us about vulnerabilities