Zero-day vulnerability in MikroTik RouterOS

Improper authentication

The vulnerability was exploited against a very limited number of targets.

Vulnerability details

Advisory: SB2018042420 - Authentication bypass in MikroTik RouterOS

Vulnerable component: MikroTik RouterOS

CVE-ID: CVE-2018-14847

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C

CWE-ID: CWE-287 - Improper Authentication


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to improper authentication in the exposed by default Winbox interface on port 8291/TCP. A remote attacker can send specially crafted packets to the affected service, bypass authentication, download local database with user accounts and gain full access to the vulnerable device.

Successful exploitation of the vulnerability may result in system compromise.

Note: this vulnerability has being exploited in the wild in April 2018.

Latest references in media:

- Huawei router used in U.S. and Latin America vulnerable to new attack [2018-12-22 01:01:23]

- Huawei Router Flaw Leaks Default Credential Status [2018-12-20 21:50:13]

- 415,000 routers worldwide reportedly infected with cryptojacking malware [2019-01-11 13:07:34]

- A Russian cyber vigilante is patching outdated MikroTik routers exposed online [2018-10-15 08:50:07]

- A mysterious grey-hat is patching people's outdated MikroTik routers | ZDNet [2018-10-12 16:10:12]

- Multiple Vulnerabilities Dicovered In RouterOS That Affected MikroTik Routers [2018-10-11 23:30:50]

- If you haven't already patched your MikroTik router for vulns, then if you could go do that, that would be greeeeaat [2018-10-11 03:50:01]

- MikroTik router vulnerability lets hackers bypass firewall to load malware undetected [2018-12-26 21:58:21]

- MikroTik Router's WinBox Vulnerability is Critical Than Previously Thought, New RCE PoC Exploit Turns 'Medium' MikroTik Router Vulnerability Into 'Critical' [2018-10-08 17:40:06]

- Unpatched routers bad, doubly unpatched routers worse тАУ much, much worse! [2018-10-08 17:11:20]

- Unpatched routers bad, doubly unpatched routers worse – much, much worse! [2018-10-08 17:10:17]

- Expert presented a new attack technique to compromise MikroTik Routers [2018-10-08 14:30:09]

- MikroTik vulnerability climbs up the severity scale, new attack permits root access | ZDNet [2018-10-08 13:00:11]

- Fancy Bear still Putin out new modules for VPNFilter malware [2018-09-27 09:40:02]

- Evolution of threat landscape for IoT devices тАУ H1 2018 [2018-09-19 10:50:09]

- Other 3,700 MikroTik Routers compromised in cryptoJacking campaigns [2018-09-11 08:40:11]

- Over 3,700 MikroTik Routers Abused In CryptoJacking Campaigns [2018-09-10 20:40:26]

- Hackers Hijacked 7,500+ MikroTik Routers and Redirecting Users Traffic [2018-09-06 03:00:53]

- MikroTik Routers Are Being Hijacked to Intercept UserтАЩs Traffic [2018-09-05 13:51:02]

- Thousands of MikroTik routers are snooping on user traffic | ZDNet [2018-09-05 13:30:13]

- Mikrotik routers pwned en masse and send network data to mysterious server [2018-09-04 23:00:01]

- Experts warn of 7,500+ MikroTik Routers that are hijacking ownersтАЩ traffic [2018-09-04 14:50:12]

- Thousands of Compromised MikroTik Routers Send Traffic to Attackers [2018-09-04 13:50:26]

- Qihoo 360 Netlab Researchers Identified Thousands of MikroTik Routers Hacked With Socks4 Proxy to Eavesdrop On Network Traffic [2018-09-04 12:00:05]

- MikroTik Routers Compromised Via A Huge Coinhive Cryptojacking Campaign [2018-08-05 11:40:48]

- Compromised MikroTik routers power extensive cryptojacking campaign [2018-08-03 14:11:27]

- Compromised MikroTik routers power extensive cryptojacking campaign [2018-08-03 14:10:13]

- MikroTik routers enslaved in massive Coinhive cryptojacking campaign | ZDNet [2018-08-03 12:00:08]

Vulnerability Scanning SaaS

Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.