CVE-2017-20149: n/a in n/a
The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated user can trigger the vulnerability by sending a crafted HTTP request. An attacker can use this vulnerability to execute arbitrary code on the affected system, as exploited in the wild in mid-2017 and later.
AI Analysis
Technical Summary
CVE-2017-20149 is a critical remote code execution vulnerability affecting the Mikrotik RouterOS web server in versions prior to Stable 6.38.5 and Long-term 6.37.5, also known as Chimay-Red. The vulnerability arises from a memory corruption issue (classified under CWE-787: Out-of-bounds Write) that can be triggered by an unauthenticated remote attacker sending a specially crafted HTTP request to the RouterOS web server. This flaw allows the attacker to execute arbitrary code on the affected device without requiring any authentication or user interaction. Exploitation of this vulnerability can lead to full compromise of the router, enabling attackers to control network traffic, intercept sensitive data, or use the device as a pivot point for further attacks within the network. The vulnerability was actively exploited in the wild starting mid-2017, highlighting its practical risk. The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. Mikrotik RouterOS is widely used in enterprise, ISP, and small-to-medium business environments for routing and network management, making this vulnerability particularly dangerous. The lack of patch links in the provided data suggests users must ensure upgrading to at least Stable 6.38.5 or Long-term 6.37.5 to remediate the issue. Given the criticality and the nature of the flaw, affected devices should be considered compromised until patched and fully audited.
Potential Impact
For European organizations, the impact of CVE-2017-20149 can be severe. Mikrotik devices are commonly deployed in various sectors including telecommunications providers, enterprises, and government networks across Europe. Successful exploitation can lead to unauthorized control over network infrastructure, allowing attackers to intercept or manipulate sensitive communications, disrupt network availability, or launch further attacks against internal systems. This can result in data breaches, service outages, and loss of trust. Critical infrastructure operators and ISPs in Europe relying on Mikrotik RouterOS are particularly at risk, as compromise of routing devices can have cascading effects on network stability and security. Additionally, the ability to execute arbitrary code remotely without authentication increases the likelihood of widespread exploitation, especially if devices remain unpatched. The vulnerability also poses risks to GDPR compliance due to potential unauthorized access to personal data traversing compromised routers.
Mitigation Recommendations
1. Immediate upgrade of all Mikrotik RouterOS devices to Stable version 6.38.5 or Long-term version 6.37.5 or later is essential to remediate the vulnerability. 2. Network administrators should audit their environments to identify all Mikrotik devices and verify their firmware versions. 3. Implement network segmentation to isolate critical routing devices from untrusted networks, reducing exposure. 4. Employ strict firewall rules to limit access to the RouterOS web server interface, ideally restricting it to trusted management networks only. 5. Monitor network traffic for unusual patterns or signs of compromise, including unexpected outbound connections or changes in device behavior. 6. Regularly backup router configurations and maintain incident response plans to quickly recover from potential compromises. 7. Consider deploying intrusion detection/prevention systems capable of detecting exploitation attempts targeting this vulnerability. 8. Educate network operations teams about the risks and signs of exploitation related to this vulnerability to ensure rapid detection and response.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Sweden, Belgium, Czech Republic
CVE-2017-20149: n/a in n/a
Description
The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated user can trigger the vulnerability by sending a crafted HTTP request. An attacker can use this vulnerability to execute arbitrary code on the affected system, as exploited in the wild in mid-2017 and later.
AI-Powered Analysis
Technical Analysis
CVE-2017-20149 is a critical remote code execution vulnerability affecting the Mikrotik RouterOS web server in versions prior to Stable 6.38.5 and Long-term 6.37.5, also known as Chimay-Red. The vulnerability arises from a memory corruption issue (classified under CWE-787: Out-of-bounds Write) that can be triggered by an unauthenticated remote attacker sending a specially crafted HTTP request to the RouterOS web server. This flaw allows the attacker to execute arbitrary code on the affected device without requiring any authentication or user interaction. Exploitation of this vulnerability can lead to full compromise of the router, enabling attackers to control network traffic, intercept sensitive data, or use the device as a pivot point for further attacks within the network. The vulnerability was actively exploited in the wild starting mid-2017, highlighting its practical risk. The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with ease of exploitation over the network without privileges or user interaction. Mikrotik RouterOS is widely used in enterprise, ISP, and small-to-medium business environments for routing and network management, making this vulnerability particularly dangerous. The lack of patch links in the provided data suggests users must ensure upgrading to at least Stable 6.38.5 or Long-term 6.37.5 to remediate the issue. Given the criticality and the nature of the flaw, affected devices should be considered compromised until patched and fully audited.
Potential Impact
For European organizations, the impact of CVE-2017-20149 can be severe. Mikrotik devices are commonly deployed in various sectors including telecommunications providers, enterprises, and government networks across Europe. Successful exploitation can lead to unauthorized control over network infrastructure, allowing attackers to intercept or manipulate sensitive communications, disrupt network availability, or launch further attacks against internal systems. This can result in data breaches, service outages, and loss of trust. Critical infrastructure operators and ISPs in Europe relying on Mikrotik RouterOS are particularly at risk, as compromise of routing devices can have cascading effects on network stability and security. Additionally, the ability to execute arbitrary code remotely without authentication increases the likelihood of widespread exploitation, especially if devices remain unpatched. The vulnerability also poses risks to GDPR compliance due to potential unauthorized access to personal data traversing compromised routers.
Mitigation Recommendations
1. Immediate upgrade of all Mikrotik RouterOS devices to Stable version 6.38.5 or Long-term version 6.37.5 or later is essential to remediate the vulnerability. 2. Network administrators should audit their environments to identify all Mikrotik devices and verify their firmware versions. 3. Implement network segmentation to isolate critical routing devices from untrusted networks, reducing exposure. 4. Employ strict firewall rules to limit access to the RouterOS web server interface, ideally restricting it to trusted management networks only. 5. Monitor network traffic for unusual patterns or signs of compromise, including unexpected outbound connections or changes in device behavior. 6. Regularly backup router configurations and maintain incident response plans to quickly recover from potential compromises. 7. Consider deploying intrusion detection/prevention systems capable of detecting exploitation attempts targeting this vulnerability. 8. Educate network operations teams about the risks and signs of exploitation related to this vulnerability to ensure rapid detection and response.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-10-15T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682cd0fb1484d88663aeca04
Added to database: 5/20/2025, 6:59:07 PM
Last enriched: 7/6/2025, 3:25:50 PM
Last updated: 8/12/2025, 12:24:44 PM
Views: 15
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.