Last updated: May 28, 2024
Loading table of contents...
Researchers have discovered a critical severity flaw that puts 926,000 MikroTik RouterOS routers at risk of being completely taken over by threat actors.
The vulnerability, designated CVE-2023-30799, affects RouterOS versions earlier than v6.49.7 Stable and v6.49.8 Long-term, allowing remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.
Super-admin privileges are normally only given to specific parts of the OS’s underlying software. This makes the vulnerability very valuable to threat actors seeking to "jailbreak" the router and make significant changes to its configuration and functionality to suit their unique purposes.
Identify, measure, and reduce your risk with a personalized attack surface report.
Our automated attack surface reports detect end-of-life software and operating systems, exposed devices and services, third-party risks & more.
Try it free
Although a valid admin account on the router is required to exploit the vulnerability, MikroTik routers are notorious for being easy to hack since they use “admin” as the username by default.
Furthermore, MikroTik routers aren’t equipped with any controls to detect and prevent brute-force password attacks. Attackers can simply use services like Shodan to find MikroTik devices hosted in countries of their choosing, then use one of the many publicly available brute-forcing tools to gain access.
Source: Bleeping Computer
Analysis
MikroTik routers have been a favourite of threat actors for many years due to their wide deployment and ease of compromise via various vulnerabilities and published proof of concept codes. Additionally, most MikroTik routers run open proxies and DNS servers by default, which are used by multiple threat actors to conduct DDoS attacks and other malicious activities.
For example, in 2022, a Russian state-sponsored botnet called Zhadnost used thousands of MikroTik routers to conduct DDoS attacks on the Ukrainian government and financial institutions. In another example, a 2019 cybercrime campaign exploited vulnerabilities in MikroTik routers to propagate laterally, and ultimately use Glupteba malware to drop cryptocurrency miners on victims' machines.
Further to being plentiful and easy to compromise, MikroTik routers have a very slow patching cadence as many users “set it and forget it”, choosing not or forgetting to patch their systems. The routers do not have an auto-update feature and MikroTik does not push updates to its user’s devices. This highly reduces the effectiveness of patching, much to the delight of threat actors.
Scan for MikroTik devices running one vulnerable version (6.48.6) of RouterOS Source: Shodan.io
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitors the cyber threat landscape for vulnerabilities discovered in devices such as MikroTik routers. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate the exploitation of these vulnerabilities. Field Effect MDR users are automatically notified when vulnerable devices are detected in their environment and are encouraged to review these AROs as quickly as possible.
Field Effect recommends that organizations patch MikroTik devices as soon as possible. We also encourage users to disable MikroTik’s open proxy function and configure the DNS server to only accept internal requests.
References
FAQs
Researchers have discovered a critical severity flaw that puts 926,000 MikroTik RouterOS routers at risk of being completely taken over by threat actors. The vulnerability, designated CVE-2023-30799, affects RouterOS versions earlier than v6. 49.7 Stable and v6.
What is the vulnerability of MikroTik FTP server? ›
A vulnerability in the FTP daemon on MikroTik routers through 6.44. 3 could allow remote attackers to exhaust all available memory, causing the device to reboot because of uncontrolled resource management. A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages.
What is the vulnerability of MikroTik firewall? ›
Up until version 6.49. 8 (July 20, 2023), MikroTik RouterOS Long-term was vulnerable to CVE-2023-30799. Remote and authenticated attackers can use the vulnerability to get a root shell on the router.
What are the security issues with MikroTik routers? ›
Indeed, MikroTik devices have a history of being targeted by advanced threat actors for various purposes, including spreading malware, launching DDos attacks, and building botnets. A notable example is the TrickBot botnet that was found abusing MikroTik routers as proxy servers for its C2 architecture.
Which super admin elevation bug puts 900000 MikroTik devices at risk? ›
A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected.
What is the disadvantage of MikroTik? ›
One disadvantage of MikroTik is the learning curve associated with its CLI and scripting environment, which may be challenging for novice users.
What is one common security problem for FTP servers? ›
FTP was not built to be secure. It is generally considered to be an insecure protocol because it relies on clear-text usernames and passwords for authentication and does not use encryption. Data sent via FTP is vulnerable to sniffing, spoofing, and brute force attacks, among other basic attack methods.
How to make MikroTik more secure? ›
Here is a practical workflow:
- Change the Password of the user “admin” on the device. Remember the new password.
- Add new users to maintain the router. ...
- Test the new username and passwords to ensure you have access. ...
- Test the Winbox configuration to ensure it works with the new usernames/passwords.
- Delete the user “admin.”
The firewall implements stateful (by utilizing connection tracking) and stateless packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router.
Which VPN is most secure on MikroTik? ›
SSTP is very secure but will perform worse than IPSec and PPTP. You need to add certificates to your Mikrotiks. SSTP is good for getting around outbound firewalls since it's encrypted and normally transported over port 443. OpenVPN on a Mikrotik is limited to using TCP only.
MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world.
Is it safe to use MikroTik? ›
Although a valid admin account on the router is required to exploit the vulnerability, MikroTik routers are notorious for being easy to hack since they use “admin” as the username by default. Furthermore, MikroTik routers aren't equipped with any controls to detect and prevent brute-force password attacks.
What is the admin port of MikroTik router? ›
Usually we use Winbox application to log in to MikroTik router's admin panel. Winbox runs on default port 8291. If the default port is changed to a custom port it would require the exact port number to browse the admin panel. It will be a secured way when logging in using IP, username and password.
Is MikroTik enterprise grade? ›
MikroTik routers offer a high performance-to-price ratio, making them an attractive option for businesses looking to maximize their networking budget. They provide enterprise-grade features at a fraction of the cost of competitors like Cisco.
What is admin elevation? ›
When the administrator needs to perform a task that requires the administrator access token, Windows automatically prompts the user for approval. This prompt is called an elevation prompt, and its behavior can be configured via policy or registry.
What are the security vulnerabilities of FTP? ›
Common FTP vulnerabilities include: Brute Force Attacks: Attackers can guess or crack weak FTP passwords. Data Interception: Data transmitted over FTP can be intercepted, exposing sensitive information. Directory Traversal: Attackers may exploit this vulnerability to access unauthorized directories on the server.
What's one major vulnerability of the FTP protocol? ›
Data Sent in Clear Text: One of the most significant security weaknesses of FTP is that both the data being transferred and the user credentials (username and password) are sent in clear text. This means that if the transmission is intercepted, the information can be easily read and utilized by cybercriminals.
What is the risk of FTP port? ›
File Transfer Port Exposure Risks. Because each of these file transfer protocols operates over a port, securing those ports is an important protection task. A recommended practice is to close unnecessary ports and limit transfer over internal networks or a VPN to prevent public traffic interception.
Is active FTP a security risk? ›
In both cases, the data transferred between client and server is unencrypted and therefore open to sniffing attacks. For more secure file transfers, we recommend using FTP/S or SFTP.
