Mikrotik Mikrotik

  1. Vendors
  2. Mikrotik
Do you want an email whenever new security vulnerabilities are reported in any Mikrotik product?

Products by Mikrotik Sorted by Most Security Vulnerabilities since 2018

Mikrotik Routeros69 vulnerabilities

Mikrotik Winbox3 vulnerabilities

Known Exploited Mikrotik Vulnerabilities

The following Mikrotik vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability In MikroTik RouterOS, a stack-based buffer overflow occurs when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system. CVE-2018-7445 September 8, 2022
MikroTik Router OS Directory Traversal Vulnerability MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface. CVE-2018-14847 December 1, 2021

By the Year

In 2024 there have been 0 vulnerabilities in Mikrotik . Last year Mikrotik had 5 security vulnerabilities published. Right now, Mikrotik is on track to have less security vulnerabilities in 2024 than it did last year.

Year Vulnerabilities Average Score
2024 0 0.00
2023 5 7.00
2022 10 8.08
2021 34 6.54
2020 5 6.02
2019 9 7.38
2018 7 7.90

It may take a day or so for new Mikrotik vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Mikrotik Security Vulnerabilities

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

CVE-2023-41570 5.3 - Medium - November 14, 2023

MikroTik RouterOS v7.1 to 7.11 was discovered to contain incorrect access control mechanisms in place for the Rest API.

The web server used by MikroTik RouterOS version 6 is affected by a heap memory corruption issue

CVE-2023-30800 7.5 - High - September 07, 2023

The web server used by MikroTik RouterOS version 6 is affected by a heap memory corruption issue. A remote and unauthenticated attacker can corrupt the server's heap memory by sending a crafted HTTP request. As a result, the web interface crashes and is immediately restarted. The issue was fixed in RouterOS 6.49.10 stable. RouterOS version 7 is not affected.

Memory Corruption

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue

CVE-2023-30799 7.2 - High - July 19, 2023

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system.

An issue discovered in MikroTik Router v6.46.3 and earlier

CVE-2020-20021 7.5 - High - July 12, 2023

An issue discovered in MikroTik Router v6.46.3 and earlier allows attacker to cause denial of service via misconfiguration in the SSH daemon.

Resource Exhaustion

An issue in the bridge2 component of MikroTik RouterOS v6.40.5

CVE-2023-24094 7.5 - High - March 27, 2023

An issue in the bridge2 component of MikroTik RouterOS v6.40.5 allows attackers to cause a Denial of Service (DoS) via crafted packets.

Memory Corruption

Mikrotik RouterOs before stable v7.6 was discovered to contain an out-of-bounds read in the snmp process

CVE-2022-45315 9.8 - Critical - December 05, 2022

Mikrotik RouterOs before stable v7.6 was discovered to contain an out-of-bounds read in the snmp process. This vulnerability allows attackers to execute arbitrary code via a crafted packet.

Out-of-bounds Read

Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process

CVE-2022-45313 8.8 - High - December 05, 2022

Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. This vulnerability allows attackers to execute arbitrary code via a crafted nova message.

Out-of-bounds Read

The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red

CVE-2017-20149 9.8 - Critical - October 15, 2022

The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated user can trigger the vulnerability by sending a crafted HTTP request. An attacker can use this vulnerability to execute arbitrary code on the affected system, as exploited in the wild in mid-2017 and later.

Memory Corruption

Mikrotik RouterOs through stable v6.48.3 was discovered to contain an assertion failure in the component /advanced-tools/nova/bin/netwatch

CVE-2022-36522 6.5 - Medium - August 26, 2022

Mikrotik RouterOs through stable v6.48.3 was discovered to contain an assertion failure in the component /advanced-tools/nova/bin/netwatch. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted packet.

assertion failure

The container package in MikroTik RouterOS 7.4beta4

CVE-2022-34960 9.8 - Critical - August 25, 2022

The container package in MikroTik RouterOS 7.4beta4 allows an attacker to create mount points pointing to symbolic links, which resolve to locations on the host device. This allows the attacker to mount any arbitrary file to any location on the host.

insecure temporary file

Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the tr069-client process

CVE-2021-36614 6.5 - Medium - May 11, 2022

Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the tr069-client process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).

NULL Pointer Dereference

Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the ptp process

CVE-2021-36613 6.5 - Medium - May 11, 2022

Mikrotik RouterOs before stable 6.48.2 suffers from a memory corruption vulnerability in the ptp process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).

NULL Pointer Dereference

In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow

CVE-2021-41987 8.1 - High - March 16, 2022

In the SCEP Server of RouterOS in certain Mikrotik products, an attacker can trigger a heap-based buffer overflow that leads to remote code execution. The attacker must know the scep_server_name value. This affects RouterOS 6.46.8, 6.47.9, and 6.47.10.

Memory Corruption

A buffer overflow in Mikrotik RouterOS 6.47

CVE-2020-22845 7.5 - High - February 28, 2022

A buffer overflow in Mikrotik RouterOS 6.47 allows unauthenticated attackers to cause a denial of service (DOS) via crafted FTP requests.

Classic Buffer Overflow

A buffer overflow in Mikrotik RouterOS 6.47

CVE-2020-22844 7.5 - High - February 28, 2022

A buffer overflow in Mikrotik RouterOS 6.47 allows unauthenticated attackers to cause a denial of service (DOS) via crafted SMB requests.

Memory Leak

Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process

CVE-2020-20219 6.5 - Medium - July 21, 2021

Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference).

Memory Corruption

Mikrotik RouterOs before 6.47 (stable tree) suffers

CVE-2020-20262 6.5 - Medium - July 21, 2021

Mikrotik RouterOs before 6.47 (stable tree) suffers from an assertion failure vulnerability in the /ram/pckg/security/nova/bin/ipsec process. An authenticated remote attacker can cause a Denial of Service due to an assertion failure via a crafted packet.

assertion failure

Mikrotik RouterOs before 6.44.6 (long-term tree) suffers

CVE-2020-20221 6.5 - Medium - July 21, 2021

Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU.

Resource Exhaustion

Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the memtest process

CVE-2020-20248 6.5 - Medium - July 19, 2021

Mikrotik RouterOs before stable 6.47 suffers from an uncontrolled resource consumption in the memtest process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU.

Resource Exhaustion

Mikrotik RouterOs before stable 6.47 suffers from a memory corruption vulnerability in the resolver process

CVE-2020-20249 6.5 - Medium - July 19, 2021

Mikrotik RouterOs before stable 6.47 suffers from a memory corruption vulnerability in the resolver process. By sending a crafted packet, an authenticated remote attacker can cause a Denial of Service.

Buffer Overflow

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8. Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.