Connect with us

Hi, what are you looking for?



Code Execution Vulnerability Impacts 900k MikroTik Devices

Over 900,000 devices are impacted by an arbitrary code execution vulnerability in MikroTik RouterOS.

More than 900,000 MikroTik devices are impacted by a RouterOS vulnerability leading to arbitrary code execution, vulnerability intelligence provider VulnCheck reports.

Tracked as CVE-2023-30799 (CVSS score of 9.1), the issue is described as a privilege escalation bug impacting RouterOS versions before 6.49.7 and RouterOS long-term versions through 6.48.6.

“A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system,” a NIST advisory reads.

The vulnerability was initially disclosed in June 2022, at the REcon conference, but no CVE identifier was assigned to it. Proof-of-concept (PoC) code demonstrating how a root shell can be obtained on a RouterOS x86 virtual machine was also published at the time.

MikroTik patched the bug in RouterOS stable 6.49.7 in October 2022, without detailing it, VulnCheck says. Patches were released for the RouterOS long-term version as well.

According to VulnCheck, a Shodan search shows that there are many potentially vulnerable devices.

“In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively,” VulnCheck notes.

Advertisement. Scroll to continue reading.

The issue, the firm says, should be taken seriously because it is rather easy to obtain RouterOS credentials and exploit this vulnerability to escalate privileges from admin to ‘super-admin’ – which provides the attacker with access to an arbitrary function call.

On the one hand, attackers can use default RouterOS credentials to compromise devices. On the other hand, they can use various tools to brute-force RouterOS devices, including API, web, and Winbox brute forcing tools (Shodan shows roughly 400,000 devices exposing the RouterOS API).

RouterOS ships with a default ‘admin’ user that is often not removed from devices and which is protected with a default empty string. Attackers can target an observable response discrepancy bug in the Winbox authentication scheme to determine the existence of the default account.

VulnCheck verified 5,500 of the hosts identified via Shodan and found that 60% contained the default admin user account.

“It wasn’t until RouterOS 6.49 (October 2021) that RouterOS started prompting administrators to update blank passwords. Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple,” VulnCheck notes.

The vulnerability went under the radar because the initial exploit only targeted RouterOS x86 virtual machines. However, exploits that target RouterOS hardware have been released as well and administrators are urged to patch devices as soon as possible.

“Under normal circumstances, we’d say detection of exploitation is a good first step to protecting your systems. Unfortunately, detection is nearly impossible. The RouterOS web and Winbox interfaces implement custom encryption schemes that neither Snort or Suricata can decrypt and inspect. Once an attacker is established on the device, they can easily make themselves invisible to the RouterOS UI,” VulnCheck notes.

Related: Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own

Related: Microsoft Releases Open Source Tool for Securing MikroTik Routers

Related: MikroTik Confirms Mēris Botnet Targets Routers Compromised Years Ago

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.