Researchers say more than 900,000 MikroTik routers vulnerable to hackers

More than 900,000 MikroTik routers are vulnerable to an issue that the company quietly patched late last week, according to researchers.

Latvia-based MikroTik is a major network equipment manufacturer that produces some of the most popular routers in the world.

On July 20, the company patched a vulnerability – CVE-2023-30799 – in its latest update, but didn’t publish an advisory about the fixes. The vulnerability allows hackers to escalate their privileges, giving them wider access to a network.

Jacob Baines, the lead threat researcher at cybersecurity firm VulnCheck, said hundreds of thousands of devices deployed around the world are still vulnerable. On its website, MikroTik lists the U.S. State Department, Sprint, Los Alamos National Laboratory, Siemens, Mitsubishi and NASA as some of its customers.

MikroTik did not respond to requests for comment but VulnCheck researchers said the company has been aware of the issue since at least October 2022 because they patched it in at least one version of their software – RouterOS stable. But the issue discovered recently by VulnCheck affects the company’s RouterOS Long-term product and was patched in version 6.49.8, which came out last Thursday.

The researchers said the issue carries a CVSS score of 9.1 — indicating that it is a critical issue — and noted that the unpatched version of Long-term was the second most installed RouterOS version according to Shodan, a scanning tool for internet-connected devices.

“In total, Shodan indexes approximately 500,000 and 900,000 RouterOS systems vulnerable to CVE-2023-30799 via their web and/or Winbox interfaces respectively,” Baines told Recorded Future News, explaining that the different figures represent different interfaces that may be present in a device.

Baines noted that the issue dates back more than a year, when Margin Research employees Ian Dupont and Harrison Green released an exploit for the vulnerability called “FOISted” in June 2022.

VulnCheck recently published details about new exploits for the vulnerability that attacks a wider range of MikroTik hardware, Baines said, theorizing that the limited scope of the initial exploit may have been what prompted the lackluster response from MikroTik.

MikroTik devices have long been a target for hackers seeking to create botnets – a group of internet-connected devices taken over to amplify attacks or provide proxies for attackers.

Thousands of exploited MikroTik devices were part of the botnet Meris – which was behind some of the biggest DDoS attacks in 2021 – after hackers discovered a zero-day in 2018. There have been several other instances of hackers using MikroTik devices to form powerful botnets over the last three years.