Zero-day vulnerability in MikroTik RouterOS

Stack-based buffer overflow

Remote code execution exploit was revealed during Vault 7 leak. It is possible, that this vulnerability was used to compromise Mikrotik routers in Slingshot APT campaign.

Known malware:


Vulnerability details

Advisory: SB2017030703 - Remote code execution in Mikrotik RouterOS HTTP server

Vulnerable component: MikroTik RouterOS


CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-121 - Stack-based Buffer Overflow


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the HTTP server component. A remote attacker can send a specially crafted HTTP POST request to the affected device and trigger stack-based buffer overflow.

Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code on the target system.

Note: this vulnerability was disclosed in the "Vault 7" leak by Wikileaks project. The codename of the exploit affecting Mikrotik RouterOS is ChimayRed.

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.