Hundreds of thousands of MikroTik devices still vulnerable to botnets


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
Approximately 300,000 MikroTik routers are vulnerable to critical vulnerabilities that malware botnets can exploit for cryptomining and DDoS attacks.

MikroTik is a Latvian manufacturer of routers and wireless ISPs who has sold over 2,000,000 devices globally.

In August, the Mēris botnet exploited vulnerabilities in MikroTik routers to create an army of devices that performed a record-breaking DDoS attack on Yandex. MikroTik explained that the threat actors behind the attack exploited vulnerabilities fixed in 2018 and 2019, but users hadn't applied.

Researchers have found that far too many remain vulnerable to three critical remote code execution flaws that can lead to a complete device takeover despite all of these warnings and attacks. As illustrated in a report published by Eclypsium today, the situation remains highly problematic.
Researchers from Eclypsium scanned the Internet for MikroTik devices that are still vulnerable to the following four CVEs:
  • CVE-2019-3977: Remote OS downgrade and system reset. CVSS v3 – 7.5
  • CVE-2019-3978: Remote unauthenticated cache poisoning. CVSS v3 – 7.5
  • CVE-2018-14847: Remote unauthenticated arbitrary file access and write. CVSS v3 – 9.1
  • CVE-2018-7445: Buffer overflow enabling remote access and code execution. CVSS v3 – 9.8
The devices need to run RouterOS version 6.45.6 or older to be eligible for exploitation and have their WinBox protocol exposed to the Internet.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.