6.4
CVSSv2

CVE-2018-14847

Published: 02/08/2018 Updated: 07/03/2019
CVSS v2 Base Score: 6.4 | Impact Score: 4.9 | Exploitability Score: 10
CVSS v3 Base Score: 9.1 | Impact Score: 5.2 | Exploitability Score: 3.9
VMScore: 648
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Summary

MikroTik RouterOS up to and including 6.42 allows unauthenticated remote malicious users to read arbitrary files and remote authenticated malicious users to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

Vulnerability Trend

Affected Products

Vendor Product Versions
MikrotikRouteros6.42

Exploits

/* # Exploit Title: RouterOS Remote Rooting # Date: 10/07/2018 # Exploit Author: Jacob Baines # Vendor Homepage: wwwmikrotikcom # Software Link: mikrotikcom/download # Version: Longterm: 6301 - 6407 Stable: 629 - 642 Beta: 629rc1 - 643rc3 # Tested on: RouterOS Various # CVE : CVE-2018-14847 By the Way is an exploit coded in C++ ...

Mailing Lists

Mikrotik RouterOS versions 6x suffer from a remote root code execution vulnerability ...
Mikrotik WinBox version 642 suffers from a credential disclosure vulnerability ...

Github Repositories

WinboxExploit This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Blogpost n0pme/winbox-bug-dissection/ Requirements Python 3+ This script will NOT run with Python 2x or lower How To Use The script is simple used with simple arguments in the commandline WinBox (TCP/IP) Explo

WinboxExploit This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Blogpost n0pme/winbox-bug-dissection/ Requirements Python 3+ This script will NOT run with Python 2x or lower How To Use The script is simple used with simple arguments in the commandline WinBox (TCP/IP) Explo

WinboxExploit This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Blogpost n0pme/winbox-bug-dissection/ Requirements Python 3+ This script will NOT run with Python 2x or lower How To Use The script is simple used with simple arguments in the commandline WinBox (TCP/IP) Explo

WinboxExploit This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Requirements Python 3+ This script will NOT run with Python 2x or lower How To Use The script is simple used with simple arguments in the commandline WinBox (TCP/IP) Exploit the vulnerability and read the password pyt

MikroRoot Automated version of CVE-2018-14847 It will scrape shodan for vulnerable host and then try to exploit them How to use Note that this script will NOT run with Python2x Use only Python 3+ MikroRoot: python3 MikroRootpy -k SHODAN_KEY -p page count User: ncss Pass: ncss!@#2018 IP: 1234 Arguments -p page count to scrape -k Shodan key Author of exploit githu

WinboxExploit This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Blogpost n0pme/winbox-bug-dissection/ Requirements Python 3+ This script will NOT run with Python 2x or lower How To Use The script is simple used with simple arguments in the commandline WinBox (TCP/IP) Explo

Mikrotik Beast tool Mass MikroTik WinBox Exploitation tool, CVE-2018-14847 This tool allows you to scan a range of network hosts (CIDR) against the CVE-2018-14847 winbox exploit Usage $ python3 mikrotikbeastpy Accepted input examples Example 1: '19216850/24' Example 2: '1721600/16' NOTES: This is just an addition to the orginal work @ BigNerd95

WinboxExploit This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Requirements Python 3+ This script will NOT run with Python 2x or lower How To Use The script is simple used with simple arguments in the commandline WinBox (TCP/IP) Exploit the vulnerability and read the password pyt

WinboxExploit C# implementation of BasuCert/WinboxPoC [Winbox Critical Vulnerability (CVE-2018-14847)] Just reimplemented a solution from [githubcom/BasuCert/WinboxPoC]

WinboxExploit This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Blogpost n0pme/winbox-bug-dissection/ Requirements Python 3+ This script will NOT run with Python 2x or lower How To Use The script is simple used with simple arguments in the commandline WinBox (TCP/IP) Explo

This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Requirements Python 3+ This script will NOT run with Python 2x or lower

sapulidi Sapulidi adalah script untuk membersihkan script berbahaya dari attacker yang menyerang mikrotik menggunakan vulnerability CVE-2018-14847 di routerOS Versions affected: Affected all bugfix releases from 6301 to 6407, fixed in 6408 on 2018-Apr-23 Affected all current releases from 629 to 642, fixed in 6421 on 2018-Apr-23 Affected all RC releases from 629rc1

WinboxExploit This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords Blogpost n0pme/winbox-bug-dissection/ Requirements Python 3+ This script will NOT run with Python 2x or lower How To Use The script is simple used with simple arguments in the commandline WinBox (TCP/IP) Explo

Bug Hunting in RouterOS The tools in this repository were originally presented at Derbycon 2018 The tools were written to aid in (or were the result of) bug hunting in RouterOS The main focus is the message protocol used on ports 80 and 8291 Building Each project is seperated down into its own unit so you can't, currently, compile everything at once Everything, except

Dark Splitz - Exploit Framework This tools is continued from Nefix, DirsPy and Xmasspy project Installation Will work fine in the debian shade operating system, like Backbox, Ubuntu or Kali linux $ git clone githubcom/koboi137/darksplitz $ cd darksplitz/ $ sudo /installsh Features Extract mikrotik credential (userdat) Password generator Reverse IP lookup Mac ad

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Glupteba Malware Uses Bitcoin Blockchain to Update C2 Domains
BleepingComputer • Sergiu Gatlan • 04 Sep 2019

A new variant of the Glupteba malware dropper is using the Bitcoin blockchain to fetch command and control (C2) server domains from Bitcoin transactions marked with OP_RETURN script opcodes.
Glupteba has been previously distributed as a secondary payload by the Alureon Trojan as part of a 2011 campaign designed to push clickjacking contextual advertising, as well as by the threat actors behind Operation Windigo onto their targets' Windows computers with the help of exploit kits in 201...

Huawei Router Flaw Leaks Default Credential Status
Threatpost • Tara Seals • 20 Dec 2018

A vulnerability in some Huawei routers used for carrier ISP services allows cybercriminals to identify whether the devices have default credentials or not – without ever connecting to them.
CVE-2018-7900 exists in the router panel and allows credentials information to leak – so attackers can simply perform a ZoomEye or Shodan IoT search to find list of the devices having default passwords – no need for bruteforcing or running the risk of running into a generic honeypot.
“When...

If you haven't already patched your MikroTik router for vulns, then if you could go do that, that would be greeeeaat
The Register • Richard Chirgwin • 11 Oct 2018

MikroTik. Stupid name. Stupid bugs. Get those fixes

If you haven't installed a batch of patches for bugs in your MikroTik routers – and two thirds of owners apparently haven't – then stiffen the sinews and summon up the blood: you really need to update your firmware.
The vulnerabilities, which were addressed by the manufacturer way back in August in software updates, can lead all the way up to remote code execution (RCE) if exploited. We're told that roughly 68 per cent of vulnerable MikroTik gear facing the internet remain unpatched, t...

Fancy Bear still Putin out new modules for VPNFilter malware
The Register • Richard Chirgwin • 27 Sep 2018

Talos turns up obfuscation, lateral attacks, and proxies

Cunning malware VPNFilter remains under active development, and is acquiring ever more dangerous features.
That's the conclusion Cisco's Talos Intelligence security team reached after delving into recent samples and identifying seven “third-stage VPNFilter modules that add significant functionality to the malware”.
VPNFilter rose to prominence in May, when Talos found half a million pwned home routers and NAS boxes in 54 countries. The FBI attributed the attacks to Russia's Sofac...

Over 3,700 MikroTik Routers Abused In CryptoJacking Campaigns
BleepingComputer • Ionut Ilascu • 10 Sep 2018

Since exploit code for CVE-2018-14847 became publicly available, miscreants have launched attacks against MikroTik routers. Thousands of unpatched devices are mining for cryptocurrency at the moment.
The maker of the routers released a patch of the security bug in April, but users are slow to install the update, enabling cybercriminals to fight for a piece of the pie.
Security researcher Troy Mursch, who tracks botnets and researches cryptojacking campaigns, found that the infected ...

Mikrotik routers pwned en masse, send network data to mysterious box
The Register • Shaun Nichols in San Francisco • 04 Sep 2018

Researchers uncover botnet malware pouncing on security holes

More than 7,500 Mikrotik routers have been compromised with malware that logs and transmits network traffic data to an unknown control server.
This is according to researchers from 360 Netlab, who found the routers had all been taken over via an exploit for CVE-2018-14847, a vulnerability first disclosed in the Vault7 data dump of supposed CIA hacking tools.
Since mid-July, Netlab said, attackers have looked to exploit the flaw and enlist routers to do things like force connected mac...

Thousands of Compromised MikroTik Routers Send Traffic to Attackers
BleepingComputer • Ionut Ilascu • 04 Sep 2018

Attackers compromising MikroTik routers have configured the devices to forward network traffic to a handful of IP addresses under their control.
Cybercriminals gained access to the devices by exploiting  CVE-2018-14847, a vulnerability that has been patched since April.
The bug is in Winbox management component and allows a remote attacker to bypass authentication and read arbitrary files. Exploit code is freely available from at least three sources from at least three sources (1, ...