Zero-day vulnerability in MikroTik RouterOS

Stack-based buffer overflow

Remote code execution exploit was revealed during Vault 7 leak. It is possible, that this vulnerability was used to compromise Mikrotik routers in Slingshot APT campaign.

Known malware:


Vulnerability details

Advisory: SB2017030703 - Remote code execution in Mikrotik RouterOS HTTP server

Vulnerable component: MikroTik RouterOS


CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-121 - Stack-based Buffer Overflow


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the HTTP server component. A remote attacker can send a specially crafted HTTP POST request to the affected device and trigger stack-based buffer overflow.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.

Note: this vulnerability was disclosed in the "Vault 7" leak by Wikileaks project. The codename of the exploit affecting Mikrotik RouterOS is ChimayRed.