6.47.10 Exploit - Mikrotik
6.47.10 Exploit - Mikrotik
Once logged in via WinBox or SSH, the attacker performs the following:
Initially discovered in June 2022 and named "FOISted," is a privilege escalation vulnerability that affects the RouterOS IPC message mechanism. A remote attacker who has already obtained standard admin privileges can bypass security restrictions and elevate their access to super-admin , gaining unrestricted operating system access. While this requires prior authentication, it is a particularly dangerous post-exploitation vector, enabling an attacker to disable security logging, install persistent malware, or pivot deeper into the network. MikroTik patched this flaw in stable version 6.49.7 and LT version 6.49.8. If you are still running 6.47.10, your router remains vulnerable to this escalation technique.
The only definitive protection against these exploits is modifying your firmware channel to transition off legacy builds. MikroTik addresses these flaws in subsequent updates. Desired Branch Secure Minimum Version Resolves WinBox user enumeration & SMB crashes RouterOS v7 Modern Full software modernization and performance overhaul To execute the upgrade natively from the CLI, run:
/ip firewall filter add chain=input protocol=tcp dst-port=8291 action=drop src-address-list=!trusted add chain=input connection-state=invalid action=drop add chain=input protocol=icmp action=drop mikrotik 6.47.10 exploit
Securing MikroTik RouterOS: Analyzing the Vulnerabilities of Version 6.47.10
: Remote attackers can cause an immediate device crash and infinite reboot loop, disrupting corporate networks without needing any credentials. 3. CVE-2024-54772 (WinBox User Enumeration)
While 6.47.10 successfully addresses these Wi-Fi vulnerabilities, it simultaneously inherits or fails to patch numerous other critical flaws present in the broader 6.47.x codebase. . Once logged in via WinBox or SSH, the
A successful exploit can lead to Remote Code Execution (RCE) without requiring prior authentication.
While RCE and privilege escalation typically dominate security discussions, denial of service (DoS) vulnerabilities in network infrastructure can be equally devastating, causing network outages that affect entire organizations.
The most effective defense is to disable all vulnerable services that are not strictly required for operations. The SCEP server ( /certificate scep-server ) should be disabled unless certificate enrollment over SCEP is necessary. Similarly, the FTP service should be disabled or restricted to trusted management IP ranges. The lcdstat service can only be exploited if the admin account is already compromised, which underscores the critical importance of strong, unique administrator passwords. MikroTik patched this flaw in stable version 6
Version 6.47.10 was released in June 2021. Since then, MikroTik has released numerous security patches in both the stable and long-term channels. The vulnerabilities discussed here—CVE-2021-41987, CVE-2023-30799, CVE-2020-22845, CVE-2020-20250, and CVE-2020-20252—have all been addressed in later releases. Specifically, CVE-2023-30799 is patched in 6.49.7 (stable) and 6.49.8 (long-term). Do not confuse version numbering: 6.47.10 is older than 6.49.x. Review the MikroTik changelog for the latest security and feature updates.
: Threat intelligence from TeamT5 linked this specific exploit to HUAPI (also known as BlackTech), an APT group known for targeting government and tech entities across East Asia. Legacy of the 6.47.x Era
Using a Python script replicating CVE-2018-14847, the attacker downloads user.dat . They then crack the hash using John the Ripper or Hashcat. Time to crack a weak password (e.g., "admin" or "1234"): Less than 2 seconds.
2. SMB Protocol Service Crashes (CVE-2024-27686 & CVE-2020-22844)
: If not actively using certificate enrollment services, disable the SCEP server via /certificate scep-server Firewall Restrictions