While MikroTik regularly patches bugs, the current concern revolves around a category of vulnerabilities classified as or Improper Access Control (CWE-284) . Specifically, researchers have identified a flaw in how RouterOS handles session tokens and the WinBox/HTTP API interfaces.
The "cracked" nature of these vulnerabilities stems from a perfect storm of design flaws and user neglect: While MikroTik regularly patches bugs, the current concern
If you manage a MikroTik router, . Assume that any device exposed to the internet with an old version of RouterOS is already compromised. Isolate, patch, and audit your logs for unexpected session times. Assume that any device exposed to the internet
🔗 MikroTik security advisory (March 2023) To mitigate the vulnerability, users are advised to
MikroTik released a patch for the vulnerability in RouterOS version 6.42. To mitigate the vulnerability, users are advised to upgrade to a patched version of RouterOS. Additionally, users can take the following steps: