MikroTik RouterOS vulnerability
CERT NZ has been informed of an active attack targeting MikroTik RouterOS devices.
Attackers are identifying these devices by scanning for public IP addresses running specific RouterOS ports and using older versions of the operating system. Once the vulnerability is exploited, malware is downloaded to the compromised devices. The device is then being used to scan for other IP addresses and spread.
CERT NZ is aware that this attack is active. We strongly recommend investigating and patching any RouterOS devices on your network as soon as possible to prevent them from being compromised.
MikroTik RouterOS devices that are internet-accessible/have public IP addresses are affected by this vulnerability. These devices can be identified in a number of ways, including checking for devices running Winbox (8291) which is a MikroTik-specific port.
Exploiting this vulnerability requires the devices to be unpatched. It is prudent to work on the basis that all MikroTik RouterOS devices are vulnerable if they are running versions older than 6.41.3.
MikroTik RouterOS devices that are running versions older than 6.41.3 should be patched immediately and the passwords for all user accounts should be changed. Logs should be reviewed to identify any suspicious activity, such as connections to unknown IPs.
What this means
All affected devices need to be patched to version 6.41.3 to prevent the device from being compromised.
What to look for
How to tell if you're at risk
If you are using a MikroTik RouterOS device you are at risk of being compromised.
This device may be provided by your internet service provider (ISP).
What to do
Ensure that any MikroTik RouterOS devices are patched to version 6.41.3.
If these devices cannot be patched, the use of the devices should be re-considered as there are no other controls to prevent this vulnerability.
Configure the device using the vendor’s recommended practices.
If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.