CVE-2025-10948 is a buffer overflow vulnerability identified in MikroTik RouterOS version 7, affecting the parse_json_element function in the /rest/ip/address/print endpoint, part of the libjson.so component. This vulnerability arises from improper handling of JSON data, allowing crafted input to overflow a buffer. The flaw can be exploited remotely over the network without requiring authentication or user interaction, making it highly accessible to attackers. Successful exploitation could lead to arbitrary code execution or denial of service, impacting the confidentiality, integrity, and availability of affected devices. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high severity due to network attack vector, low attack complexity, no privileges or user interaction needed, and high impact on all security properties. Although no active exploits have been reported in the wild, the public disclosure and availability of proof-of-concept code increase the risk of exploitation. MikroTik has addressed the issue in RouterOS version 7.21beta2 and plans to release an official patch soon. Organizations running vulnerable RouterOS versions should upgrade promptly to prevent exploitation. Given MikroTik's widespread use in enterprise and ISP network equipment, this vulnerability poses a significant risk to network infrastructure stability and security.

For European organizations, this vulnerability presents a critical risk to network infrastructure, as MikroTik RouterOS is commonly deployed in enterprise, ISP, and critical infrastructure environments across Europe. Exploitation could allow attackers to execute arbitrary code remotely, potentially leading to full device compromise, interception or manipulation of network traffic, and disruption of services. This could affect confidentiality by exposing sensitive network configuration and traffic, integrity by enabling unauthorized changes, and availability by causing device crashes or denial of service. Given the remote, unauthenticated nature of the exploit, attackers could target vulnerable routers at scale, impacting multiple organizations simultaneously. Critical sectors such as telecommunications, finance, government, and energy in Europe could face operational disruptions and data breaches. The public disclosure increases the likelihood of exploitation attempts, emphasizing the urgency for European entities to assess and remediate affected systems to maintain network security and service continuity.

European organizations should immediately inventory their network devices to identify MikroTik RouterOS version 7 deployments. They should prioritize upgrading all affected devices to MikroTik RouterOS version 7.21beta2 or later once the official patch is released. Until upgrades are applied, organizations should restrict access to the REST API endpoint /rest/ip/address/print by implementing network segmentation and firewall rules to limit exposure to trusted management networks only. Monitoring network traffic for unusual JSON payloads targeting this endpoint can help detect exploitation attempts. Employing intrusion detection/prevention systems (IDS/IPS) with updated signatures for this vulnerability is recommended. Organizations should also review and tighten router management access policies, disable unnecessary services, and ensure robust logging and alerting are in place to facilitate rapid incident response. Regular backups of router configurations should be maintained to enable swift recovery if compromise occurs. Coordination with MikroTik support and staying informed on patch releases and advisories is critical.