Half a Million MikroTik Routers Vulnerable to Takeover Attacks

Security researchers have identified a critical vulnerability affecting over 500,000 MikroTik routers and 900,000 RouterOS systems, allowing attackers to elevate rights to super-admin and eventually take over.

Routers are among the most-targeted IoT devices because they are usually gatekeepers to users’ networks and, implicitly, to numerous other devices. And since routers, by definition, are always connected to the internet, it also means that hackers and researchers will look for vulnerabilities.

Security researchers from VulnCheck created new exploits that would take advantage of CVE-2023-30799, a privilege escalation vulnerability that MikroTik patched as of July 20, 2023.

It would be easy to dismiss the vulnerability because there’s already a patch for it, and attackers would still need authentication to exploit it. But there’s a catch: not everyone has applied the latest MikroTik6.49.8 patch, so many routers still vulnerable.

“On July 18, VulnCheck found that RouterOS Long-term 6.48.6 (the most recent Long-term at the time) was the second most installed RouterOS version according to Shodan,” explained VulnCheck in the firm’s report.

“In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively,” VulnCheck added.

This brings up the second hurdle. Attackers need authentication to exploit the CVE-2023-30799 vulnerability, and it turns out that’s actually not a complicated process.

“To make matters worse, the default ’admin‘ password is an empty string, and it wasn’t until RouterOS 6.49 (October 2021) that RouterOS started prompting administrators to update blank passwords,” the researchers said. “Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple. That’s particularly unfortunate because the system doesn’t offer any brute force protection (except on the SSH interface).”

“However, because Margin Research reverse-engineered the newest web interface authentication, we are free to resume brute force activities on that interface once again. To demonstrate that, we quickly threw together a simple dictionary brute force tool that works against RouterOS versions up to the latest 6.x release,” they said.

The best way to protect your MikroTik router is to apply the latest patch immediately, remove MikroTik administrative interfaces, permit admin access from select IP addresses, disable the Winbox and the web interfaces, and use SSH for administration. Also, you should use public or private keys for SSH authentication and turn off passwords altogether.