Hundreds of thousands of MikroTik routers are potentially vulnerable to hacker attacks due to a privilege escalation vulnerability that can be exploited to take over the target device.

MikroTik is a Latvia-based network equipment company that develops and sells wired and wireless network routers, network switches, access points, as well as operating systems and auxiliary software. Its products and services are used in various sectors, such as telecommunications, government agencies, educational institutions, and enterprises.

Tracked as CVE-2023-30799, the issue stems from improperly imposed security restrictions in RouterOS. A remote authenticated user with “admin” privileges can bypass implemented security restrictions and obtain a “super-admin” role.

This is not a new bug. The flaw was first disclosed in June 2022 by the Margin Research experts but didn’t receive a CVE ID. The researchers released a PoC exploit called FOISted that allows obtaining a root shell on the RouterOS x86 virtual machine. The bug received an identifier only in July this year after researchers at VulnCheck published new exploits that targeted a wider range of MikroTik hardware.

MikroTik fixed the issue in October 2022 in the RouterOS stable version 6.49.7 and on July 19, 2023, in the RouterOS Long-term version 6.49.8.

“In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively,” VulnCheck said.

Although CVE-2023-30799 requires authentication, this is a dangerous vulnerability, the researchers warned, as acquiring credentials to RouterOS systems is easier than one might expect.

The problem is that RouterOS ships with a fully functional “admin” user, and the default “admin” password is an empty string.

“Even when an administrator has set a new password, RouterOS doesn’t enforce any restrictions. Administrators are free to set any password they choose, no matter how simple. That’s particularly unfortunate because the system doesn’t offer any brute force protection (except on the SSH interface),” VulnCheck says.

The company says that around 60% of RouterOS users are still running a default admin user.

Vulnerable MikroTik routers have been targeted by distributed denial-of-service (DDoS) botnets in the past. In 2021, hundreds of thousands of compromised MikroTik routers running various versions of RouterOS were infected with the Mēris botnet malware.