Critical Vulnerability Discovered in MikroTik Routers: Security Risks on the Rise
Recent developments in cybersecurity have uncovered a significant vulnerability in MikroTik routers that poses an alarming threat to users and businesses alike. Initially identified and patched shortly after its discovery in April 2023, this flaw, designated as CVE-2018-14847, has seen a resurgence in urgency due to the unveiling of a new proof-of-concept (PoC) remote code execution (RCE) attack. This technique, developed by researchers at Tenable, allows attackers to exploit the vulnerability, potentially compromising routers to gain unauthorized access and control.
The vulnerability specifically targets the Winbox management component—a web-based interface used by administrators to configure MikroTik routers. Such exploits permit attackers to bypass authentication protocols and access sensitive files merely by altering a request linked to a session ID. While the initial severity rating classified the issue as moderate, the emergence of this new exploitation method has necessitated a reassessment, elevating its classification to critical.
This new exploit, termed “By the Way,” enables adversaries to not only extract administrator credentials from user databases but also write files on the device, effectively achieving root access. Such capabilities empower unauthorized actors to manipulate router configurations, deploy malicious payloads, or disable firewall protections, escalating risks for businesses relying on MikroTik infrastructure.
The attack highlights an ongoing vulnerability trend associated with MikroTik devices, previously exploited by notorious malware such as VPNFilter. The recent cryptojacking campaigns further emphasize the enduring threats that MikroTik routers face, painting a concerning picture for organizations that have yet to secure their installations.
In addition to CVE-2018-14847, Tenable Research has identified several other critical issues within the MikroTik RouterOS framework, including stack buffer overflows and file upload vulnerabilities. These security flaws could allow authenticated attackers to execute commands remotely, crash service functionality, or launch denial-of-service attacks against the router’s HTTP server.
The vulnerabilities affect multiple firmware versions predating 6.42.7 and 6.40.9, both of which were patched in August. Despite these updates, a recent survey indicates that approximately 70 percent of MikroTik routers remain susceptible, equating to roughly 200,000 devices still at risk.
For business owners operating MikroTik routers, immediate action is crucial. Ensuring that RouterOS is updated to the latest versions can mitigate the risks posed by these vulnerabilities. Additionally, changing default credentials to complex, unique passwords is imperative to safeguard against potential breaches.
From a cybersecurity perspective, this incident illustrates a broader theme within the realm of adversary tactics outlined in the MITRE ATT&CK framework. Techniques such as initial access through exploited vulnerabilities, privilege escalation, and the use of command-and-control infrastructure align with the methods employed in this recent attack. The situation serves as a reminder of the importance of proactive security measures in an ever-evolving threat landscape. Business owners must remain vigilant, continually assessing their cybersecurity postures to thwart potential attacks and maintain the integrity of their operations.