A recent discovery by VulnCheck has revealed a critical security flaw in MikroTik RouterOS Long-term versions prior to 6.49.8 (as of July 20, 2023), categorized as CVE-2023-30799. It leaves their routers vulnerable to remote and authenticated attackers, allowing them to exploit the routers to gain root access, potentially leading to widespread damage.

The vulnerability first came to light last summer, in June 2022, when Margin Research disclosed an exploit called FOISted at the REcon conference that could obtain a root shell. However, due to the design of the exploit, it only worked on the RouterOS x86 virtual machine, which was a less common version of the software.

MikroTik then addressed the issue in October 2022 with the release of RouterOS stable version 6.49.7, but the Long-term version remained exposed until recently.

Researchers at VulnCheck published new exploits as proof of concept, which expanded the vulnerability’s reach to a wider range of MikroTik hardware. Consequently, CVE-2023-30799 was assigned to this vulnerability on July 19, 2023. Although authentication is required, the flaw allows for privileged escalation from admin to “super-admin,” granting attackers access to an arbitrary function call.

Unfortunately, obtaining credentials to RouterOS systems is easier than expected, as many installations still retain the default “admin” user, despite security recommendations to remove it. Moreover, the default “admin” password is often left as an empty string and RouterOS lacks password complexity enforcement or brute-force protection.

The vulnerability’s reach is potentially vast. A recent query done by VulnCheck on Shodan showed an index of approximately 500,000 to 900,000 RouterOS systems that are vulnerable to CVE-2023-30799.

Administrators are advised to:

• remove MikroTik administrative interfaces from the internet
• restrict login IP addresses
• disable Winbox and web interfaces
• exclusively use SSH for administration, configuring it to use public/private keys & disabling passwords

Upgrading the software to version 6.49.8 or the most recent 7.x stable is the most effective way to safeguard MikroTik routers against potential attacks.