CVE-2018-14847 is a vulnerability in Mikrotik Routeros
Published on August 2, 2018
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
Known Exploited Vulnerability
This MikroTik Router OS Directory Traversal Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
The following remediation steps are recommended / required by June 1, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2018-14847 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
What is a Directory traversal Vulnerability?
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVE-2018-14847 has been classified to as a Directory traversal vulnerability or weakness.
Products Associated with CVE-2018-14847
You can be notified by stack.watch whenever vulnerabilities like CVE-2018-14847 are published in these products:
What versions of Routeros are vulnerable to CVE-2018-14847?
-
Mikrotik Routeros
Up to Version 6.42