MikroTik Critical admin privilege elevation vulnerability exposing 900,000 devices
Take action: Time to log in to your MicroTik and update it immediately. An update takes less than 5 minutes of downtime. While you are at it, reset the password of the Admin user to something very complex and random - ideally generated in a password manager.
Learn More
A critical vulnerability named 'Super Admin' privilege elevation flaw has been reported in MikroTik RouterOS routers, exposing over 900,000 devices to risk.
The flaw, is tracked as CVE-2023-30799 (CVSS3 score 9.1) allows remote attackers with existing admin accounts to escalate their privileges to "super-admin" status via the device's Winbox or HTTP interface. This elevated privilege level is not intended for regular administrators and allows the attackers to manipulate the address of a function call. Consequently, the attackers can take complete control of the device and potentially make significant changes to the underlying operating system or conceal their malicious activities, effectively "jailbreaking" the RouterOS device.
The risk of this vulnerability is compounded by the following risk factors:
- MikroTik RouterOS comes with a widely known default "admin" user. The default admin account remains in use on nearly 60% of MikroTik devices, despite the vendor's advice to delete it.
- The default admin password was an empty string until October 2021 when it was fixed in RouterOS 6.49. Unpatched systems may still have empty admin password.
- RouterOS does not enforce admin password strengthening requirements, leaving users vulnerable to brute-force attack.
- MikroTik RouterOS does not effectively prevent password brute-force attacks,making it relatively easier for attackers to exploit.
- Ofcourse, too many users are lazy and haven't taken the proper security measures
Despite the vulnerability being first disclosed without an identifier in June 2022, MikroTik addressed it in October 2022 for RouterOS stable (v6.49.7) and on July 19, 2023, for RouterOS Long-term (v6.49.8). VulnCheck, a cybersecurity research firm, has reported that the patch for the Long-term branch was made available only after they notified the vendor and shared new exploits targeting MikroTik hardware.
VulnCheck assessed the flaw's impact using Shodan and found that 474,000 devices were vulnerable because they remotely exposed the web-based management page. The vulnerability also affects Winbox, a management client for MikroTik. Over 926,000 devices exposed the management port used by Winbox, significantly increasing the risk and impact of potential attacks.
To demonstrate the exploit's viability, VulnCheck used Margin Research's FOISted remote RouterOS jailbreak exploit and identified a simplified ROP (Return-Oriented Programming) chain that broadens the exploit's applicability across various RouterOS versions.
