Skip to content

900,000 MicroTik routers at risk; most affected in Brazil and India

  • by
  • 3 min read

Up to 900,000 MicroTik routers from Brazil, India, Indonesia, and Iran, among other countries, are vulnerable to a privilege escalation vulnerability (CVE-2023-30799) in the RouterOS operating system.

This flaw allows threat actors to gain complete control over affected devices, potentially leading to unauthorised access to an organisation’s network, researchers from VulnCheck observed.

Furthermore, it enables attackers to execute man-in-middle attacks on network traffic flowing through the router.

MicroTik is a popular choice for many organisations and internet service providers and counts well-known entities such as NASA, ABB, Ericsson, Saab, Siemens, and Sprint among its customers.

The number of routers affected by the vulnerability. | Source: VulnCheck

VulnCheck lead researcher, Jacob Baines, explained that an attacker with authenticated access to an affected MicroTik device could exploit the vulnerability. Acquiring credentials is not particularly difficult, as the RouterOS often ships with an “admin” user account with a default empty password, which some organisations neglect to delete despite recommendations. Additionally, RouterOS lacks password restrictions, leading to easily guessable passwords that offer minimal protection against brute-force attacks.

The exploit uses a Return Oriented Programming (ROP) chain, which chains together pieces of existing code on the system to execute malicious actions. This new ROP chain targets RouterOS on the MIPS big-endian architecture, significantly expanding the impact compared to previous vulnerabilities.

MikroTik had previously addressed a privilege elevation flaw in October 2022 for the RouterOS stable version but neglected to patch the Long-term versions until July 2023, leaving many devices at risk.

Most affected routers are from Brazil, with India following a close second. | Source: VulnCheck

VulnCheck’s findings highlight that this flaw’s impact is far larger than initially estimated, affecting approximately 926,000 devices due to exposure via the Winbox management client.

Despite the need for authenticated access, the exploit allows attackers to escalate their privilege to “Super Admin”, granting full access to the RouterOS operating system. This privilege level was intended for specific software functions, not normal users, making it valuable for malicious actors seeking to conceal their activities and make significant changes to the system.

VulnCheck has not released a proof-of-concept exploit to avoid further risk, but they warn that the potential for mass exploitation is still high. The researchers recommend organizations disable Winbox and Web interfaces, restrict admin login IP addresses, and replace passwords with stronger alternatives or adopt a password-less solution. Upgrading to the latest RouterOS version is crucial to safeguard against potential attacks.

Given the history of MikroTik routers targeted by advanced threat groups like TrickBot and VPNFilter, researchers urged customers to patch the devices. Failure to address the vulnerability could have dire consequences, allowing threat actors to exploit affected devices and compromise sensitive networks.

In the News: Apple releases critical security updates to tackle zero-day exploits

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: