A critical privilege escalation vulnerability in MikroTik RouterOS could allow remote attackers to execute arbitrary code, giving them complete control of vulnerable devices. This flaw, designated as CVE-2023-30799, carries a CVSS score of 9.1, indicating its severity. It is estimated that between 500,000 and 900,000 RouterOS systems might be exploited through their web and Winbox interfaces, as detailed in a report by VulnCheck.
According to security researcher Jacob Baines, “CVE-2023-30799 does require authentication,” highlighting that the vulnerability allows for a straightforward privilege escalation from an admin to a ‘super-admin’ position, facilitating access to arbitrary functions. Gaining credentials to RouterOS systems can be surprisingly easy due to the operating system’s lack of defenses against password brute-force attacks, further compounded by the longstanding existence of a default user, ‘admin,’ which previously had an empty password until changes were enforced in October 2021.
This vulnerability was initially disclosed without a CVE identifier by Margin Research in June 2022, under the exploit name FOISted. The security issue did not receive a fix until the release of RouterOS stable version 6.49.7 on October 13, 2022, and was later addressed for the long-term release on July 19, 2023.
VulnCheck emphasized that a long-term release patch was only available after the vendor was contacted and further exploits targeting a broader array of MikroTik hardware were published. A proof-of-concept developed by the firm illustrates how a new exploit chain could be constructed from FOISted targeting MIPS architecture, originally designed only for RouterOS x86 virtual machines, enabling attackers to obtain a root shell on the router.
Baines pointed out that given RouterOS’ history as an APT target and the early release of FOISted, it is likely that others have previously discovered this vulnerability. Detection remains extremely challenging, as RouterOS employs custom encryption schemes that bypass conventional detection systems like Snort or Suricata. Once attackers gain access, they can effectively conceal their presence from the RouterOS user interface.
MikroTik routers have been exploited in the past to form distributed denial-of-service (DDoS) botnets, such as Mēris, and to serve as command-and-control proxies. Users are urged to patch this vulnerability urgently by updating to the latest RouterOS versions (6.49.8 or 7.x).
Recommendations for mitigating risks include removing MikroTik administrative interfaces from public access, restricting IP address logins, disabling the Winbox and web interfaces, and implementing SSH with public/private key authentication while disabling password logins. These steps are critical in safeguarding against potential exploitation stemming from this significant vulnerability.
