Patch Now: Up to 900K MikroTik Routers Vulnerable to Total Takeover

Researchers have delivered working exploits for RouterOS, which when combined with default admin passwords can be a recipe for cyber disaster.

Up to 900,00 MikroTik routers — a popular target for threat actors including nation-state groups — may be open to attack via a privilege escalation vulnerability in the RouterOS operating system.
The vulnerability (
CVE-2023-30788
) gives attackers a way to take complete control of affected MIPS-processor-based MikroTik devices and pivot into an organizations network, according to researchers from
VulnCheck, which just published several new exploits
for the flaw. Attackers can also use it to enable man-in-the-middle attacks on network traffic flowing through the router, they warned. Versions of MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to the issue.
The worst-case scenario is that an attacker can install and execute arbitrary tools on the underlying Linux operating system, says Jacob Baines, leader researcher at VulnCheck. Remote and authenticated attackers can use the vulnerability to get a root shell on the router, by escalating admin-level privileges to that of a super-administrator.
MikroTik has released a fix for impacted RouterOS versions, and admins should apply it quickly. The stakes are high: MikroTik claims numerous well-known organizations as its customers, including NASA, ABB, Ericsson, Saab, Siemens, and Sprint. Several ISPs use its routers as well. A Shodan search showed that as of July 18, there were between 500,000 and 900,000 MikroTik routers that are vulnerable to CVE- 2023-30799 via their Web or Winbox interfaces.
MikroTik devices have been targeted by advanced attackers for
quite some time
because they
provide powerful access to protected networks
, Baines says. Groups such as
TrickBot
, VPNFilter, and the
Slingshot
advanced persistent threat group have all been known to target the device; in 2022, Microsoft warned of TrickBot actors using
MikroTik routers as proxy servers
for its command-and-control (C2) servers. In addition, the
Vault 7 Wikileaks data dump
of classified CIA documents contained an exploit for MikroTik routers, he says.
The attack that VulnCheck developed requires the exploit use return-oriented programming (ROP).
ROP is an exploit technique
where an attacker executes malicious code by chaining together small pieces of existing code on the system. VulnCheck essentially developed a new ROP chain that works against RouterOS on the MIPS big endian (MIPSBE) architecture, Baines says.
Only an attacker with authenticated access to an affected MikroTik device can exploit the vulnerability. But acquiring credentials to RouterOS is relatively easy, VulnCheck said in its report.
For one thing, RouterOS ships with an admin user account with an empty string as a default password. Many organizations fail to delete the admin account even though MikroTik itself recommends that organizations delete it.
RouterOS also does not enforce any restrictions on passwords. So, when administrators do set password, they are often easy to guess and offer little protection against brute force attacks, VulnCheck said.
For its part, MikroTik did not immediately respond to a Dark Reading request for comment submitted via its support email.
While MikroTik has been aware of this latest issue since at least last October, a CVE identifier and patch for
RouterOS Long-term
wasnt released until July 20, likely because the bug hasnt posed any real-world risk until now.
Researchers at security firm
Margin Research
first disclosed the vulnerability and an exploit for it dubbed FOISTed in June 2022. FOISTed enabled root shell access on a x86 virtual machine running RouterOS, but it was a moot exercise, since MikroTik does not ship x86 hardware-based devices, Baines says.
Nonetheless, Lativia-based MikroTik addressed the issue in an incremental version of the operating system (Router OS stable 6.49.7) last October but made no patch available for major versions — or what MikroTik refers to as long-term versions — of RouterOS.
VulnChecks exploit on the other hand, works against RouterOS on the MIPSBE architecture that MikroTik uses in many of its products. The exploits, therefore, have a far bigger impact, Baines notes: FOISted had no impact on real world products, VulnChecks findings very much do.
The security vendor describes its exploit as a simplified and more practical version of Margins FOISted. VulnChecks research also did some things to weaponize the exploit — for example, eliminating the use of FTP and using a reverse shell instead of a bind shell, Baines says.
To protect themselves, VulnCheck recommends that all organizations using affected versions of the MikroTik devices disable their Winbox and Web interfaces, restrict the IP addresses from which admins can login from, and disable passwords and configure SSH to use public/private keys instead.
Ultimately, our recommendation is to move to a password-less solution, Baines says. Organizations that must use passwords would ideally move to stronger passwords to
prevent brute-forcing
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Patch Now: Up to 900K MikroTik Routers Vulnerable to Total Takeover