MikroTik RouterOS XSS via hotspot dst <7.19.2
CVE-2025-6563 Published on July 3, 2025
Cross-site scripting via dst parameter in RouterOS WiFi hotspot
A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also be converted to a GET request, allowing an attacker to send a specifically crafted URL that automatically logs in the victim (into the attacker's account) and triggers the payload.
Weakness Type
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Products Associated with CVE-2025-6563
Want to know whenever a new CVE is published for MikroTik Routeros? stack.watch will email you.
Affected Versions
MikroTik RouterOS:- Before 7.19.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.