Security Affairs
Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|Patch Tuesday security updates for July 2026, the largest update ever. 621 CVEs in one month|U.S. Treasury Sanctions VPN Provider and Cryptor Seller Behind Billions in Ransomware Losses|Attacker Used AI to Build Custom PowerShell Recon Malware|Malware Hits Japan’s Largest Taxi Company Nihon Kotsu, Services Temporarily Suspended|CrashStealer: New macOS Infostealer Uses Signed Apps to Evade Gatekeeper|Lidl Notified Online Shop Customers in Germany, Belgium, and the Netherlands of a Data Breach|U.S. CISA adds a Cisco IOS flaw to its Known Exploited Vulnerabilities catalog|EU Targets FSB-Linked Hackers in New Sanctions Over Cyber Sabotage|Dutch Nationals Suspected in Odido Hack That Exposed Six Million Customers|Australia Alerts Organizations to Ongoing CMS Exploitation Attacks|Ryuk Ransomware Member Pleads Guilty Over Attacks on U.S. Organizations|Progress Told ShareFile Customers to Pull the Plug on Their Servers. Here’s What We Know.|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Over 500K MikroTik RouterOS systems potentially exposed to hacking due to critical flaw

Experts warn of a severe privilege escalation, tracked as CVE-2023-30799, in MikroTik RouterOS that can be exploited to hack vulnerable devices. VulnCheck researchers warn of a critical vulnerability, tracked as CVE-2023-30799 (CVSS score: 9.1), that can be exploited in large-scale attacks to target over 500,000 RouterOS systems. “MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are […]

MikroTik RouterOS

Experts warn of a severe privilege escalation, tracked as CVE-2023-30799, in MikroTik RouterOS that can be exploited to hack vulnerable devices.

VulnCheck researchers warn of a critical vulnerability, tracked as CVE-2023-30799 (CVSS score: 9.1), that can be exploited in large-scale attacks to target over 500,000 RouterOS systems.

“MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface.” reads the advisory published by NIST. “The attacker can abuse this vulnerability to execute arbitrary code on the system.”

MikroTik RouterOS is an operating system designed to run on MikroTik’s line of routers and other network devices.

The CVE-2023-30799 flaw can be exploited by a remote and an authenticated attacker to escalate privileges from admin to ‘super-admin’ which allows it to get a root shell on the router.

The vulnerability CVE-2023-30799 was first disclosed in June 2022 at REcon by Margin Research employees, Ian Dupont and Harrison Green. The duo also released a PoC exploit called FOISted that allows obtaining a root shell on the RouterOS x86 virtual machine. On July 19, 2023, VulnCheck researchers published new exploits to target a wider range of MikroTik hardware and the flaw received a CVE.

“In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively.” reads the analysis published by VulnCheck.

The Mikrotik RouterOS operating system does not support brute force protection and the default “admin” user password was an empty string until October 2021. With the release of RouterOS 6.49 in October 2021, administrators were prompted to change the password

.

The researchers warn that detection is nearly impossible because the RouterOS web and Winbox interfaces implement custom encryption schemes that tools like Snort or Suricata can decrypt and inspect. Once an attacker has gained a foothold on the device, it cannot be visible to the RouterOS UI.

The researchers advise keeping a close eye on brute force attempts or the uploading of malicious ELF binaries to the device as a means of identifying any ongoing attacks.

Below are recommendations provided by the experts:

  1. Remove MikroTik administrative interfaces from the internet.
  2. Restrict which IP addresses administrators can login from.
  3. Disable the Winbox and the web interfaces. Only use SSH for administration.
  4. Configure SSH to use public/private keys and disable passwords.

“As we’ve seen, exploitation of CVE-2023-30799 on hardware turned out to be quite easy. Given RouterOS’ long history of being an APT target, combined with the fact that FOISted was released well over a year ago, we have to assume we aren’t the first group to figure this out.” concludes the report.

Follow me on Twitter: @securityaffairs Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, MikroTik RouterOS)