A cross-site scripting (XSS) vulnerability has been discovered in the hotspot functionality of MikroTik RouterOS, affecting versions below 7.19.2. An attacker can inject the javascript protocol via the dst parameter in a crafted URL. When a victim browses to this malicious URL and logs in through the hotspot page, the injected XSS payload executes in their browser.
Additionally, the POST request used for login can be converted to a GET request. This allows an attacker to craft a URL that automatically logs the victim into the attacker’s account and triggers the payload, requiring no interaction beyond visiting the link.
Users are advised to upgrade to RouterOS 7.20 or any later version to address this vulnerability.
MikroTik always recommends keeping RouterOS devices up to date and using a strong firewall to protect router management services from untrusted networks; hotspot access should still be configured only as broadly as the deployment requires.
Contact us about vulnerabilities