CVE-2025-61481 is a critical security vulnerability identified in MikroTik RouterOS version 7.14.2 and SwOS version 2.18. The root cause is that the WebFig management interface, which is used for device administration, is exposed over cleartext HTTP by default rather than encrypted HTTPS. This exposure allows an attacker positioned on the network path between the administrator and the device (a man-in-the-middle or on-path attacker) to intercept all HTTP traffic, including sensitive credentials. Furthermore, the attacker can inject malicious JavaScript code into the WebFig interface viewed by the administrator, enabling execution of arbitrary scripts in the administrator's browser context. This can lead to credential theft, session hijacking, and potentially full control over the router or switch. The vulnerability does not require any authentication or user interaction, making it trivially exploitable by anyone with network access. The CVSS v3.1 base score is 10.0, indicating critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change that affects confidentiality, integrity, and availability. The associated CWEs include CWE-1188 (Improper Access of Sensitive Information), CWE-319 (Cleartext Transmission of Sensitive Information), and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). No known exploits are reported in the wild yet, but the ease of exploitation and critical impact make this a high-priority issue. The vulnerability affects MikroTik devices widely deployed in enterprise, ISP, and critical infrastructure networks globally. The lack of HTTPS by default is a significant security misconfiguration that undermines the confidentiality and integrity of administrative access to network devices.

The impact of CVE-2025-61481 on European organizations is substantial. MikroTik devices are commonly used in small to medium enterprises, ISPs, and even some critical infrastructure sectors across Europe. The exposure of the WebFig management interface over HTTP allows attackers to intercept administrator credentials and execute malicious scripts, potentially leading to full device compromise. This can result in unauthorized network access, data exfiltration, disruption of network services, and lateral movement within corporate networks. Given the critical nature of network infrastructure, such compromises can affect availability of services, confidentiality of sensitive data, and integrity of network configurations. The vulnerability's ease of exploitation and lack of required authentication increase the risk of widespread attacks, especially in environments where network segmentation or monitoring is insufficient. European organizations with remote or distributed network management are particularly vulnerable to man-in-the-middle attacks exploiting this flaw. The potential for cascading effects in supply chains and service providers further amplifies the threat to European digital infrastructure.

To mitigate CVE-2025-61481, European organizations should immediately disable HTTP access to the WebFig management interface on all affected MikroTik RouterOS and SwOS devices. Administrators must enforce HTTPS-only access for device management to ensure encrypted communication. Where possible, update devices to vendor-released patched versions once available. If patches are not yet released, consider temporary workarounds such as restricting management interface access to trusted internal networks or VPNs, and implementing strict network segmentation to isolate management traffic. Deploy network intrusion detection systems (NIDS) to monitor for suspicious HTTP traffic or injection attempts targeting the WebFig interface. Regularly audit device configurations to ensure no fallback to HTTP occurs. Educate network administrators about the risks of using unencrypted management interfaces and encourage use of strong, unique credentials combined with multi-factor authentication if supported. Finally, maintain up-to-date asset inventories to quickly identify and remediate vulnerable devices across the organization.