Vulnerability Allows Root Access to Hundreds of Thousands of MikroTik Routers

vulnerability in MikroTik routers
A critical Super Admin privilege escalation vulnerability threatens over 900,000 MikroTik routers running RouterOS.

The issue is tracked as CVE-2023-30799 and allows attackers who already have an administrator account to elevate their privileges to Super Admin via the Winbox or HTTP interface.

We also wrote about how the Mirai botnet attacks routers and that researchers have discovered more than two hundred vulnerabilities in popular routers.

VulnCheck explains that this problem does not seem serious at first glance. After all, it would seem that if a potential attacker must have administrator privileges in advance, everything is not so bad.

But, unfortunately, this is unlikely to stop intruders, since RouterOS does not prevent brute force attacks, does not impose strict requirements on the administrator password, and also has details of an admin account by default, which has been known for a very long time.

Worse, until October 2021, the default administrator password was an empty string, and this problem was only fixed with the release of RouterOS 6.49. According to researchers, about 60% of MikroTik devices still use this account, although the manufacturer has long recommended deleting it.

Mass exploitation [of a vulnerability] is complicated by the fact that valid credentials are required for an attack. However, routers lack basic brute-force protection. We deliberately do not publish a PoC exploit, but if it were available, it would certainly have been used [by hackers] in practice immediately after the publication of our article.VulnCheck experts say.

The vulnerability was discovered back in June 2022, and MikroTik fixed the problem in October 2022 in the stable version of RouterOS (6.49.7), and on July 19, 2023 a patch for the Long-term branch (6.49.8) was released. VulnCheck notes that fresh patches appeared only after specialists contacted the developers and shared new exploits with them.

According to Shodan statistics, 474,000 devices are vulnerable to CVE-2023-30799 because their control web page is available for remote access. However, since the vulnerability can also be exploited via Winbox (a device management client based on Mikrotik RouterOS), the number of vulnerable devices almost doubles to 926,000 devices.

vulnerability in MikroTik routers
Router OS Versions on Devices Discovered via Shodan

The researchers explain that Super Admin level privileges have a number of advantages over regular administrator privileges. In fact, the super administrator gets full and unrestricted access to the RouteOS operating system, and such privileges can usually have the underlying software, but not the user.

Let me remind you that information security specialists have already pointed out that some MicroTik routers are vulnerable to hacker attacks.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Volodymyr Krasnogolovy

I'm a journalist, cybersecurity specialist, content manager, copywriter, and photojournalist. With a deep passion for cybersecurity and a diverse skill set, I'm excited to share my expertise through this blog. From researching the latest threats to crafting engaging narratives and capturing powerful visuals, I strive to provide valuable insights and raise awareness about the importance of cybersecurity.

Leave a Reply