CVE-2025-61481 is a remote code execution (RCE) vulnerability identified in MikroTik RouterOS version 7.14.2 and SwitchOS version 2.18. The flaw resides in the HTTP-only WebFig management component, which is used for device configuration and management. An attacker can exploit this vulnerability remotely without requiring authentication or user interaction, allowing arbitrary code execution on the affected device. This means an attacker could gain full control over the router or switch, potentially altering configurations, intercepting or redirecting traffic, or using the device as a foothold for further network compromise. The vulnerability was reserved on September 26, 2025, and published on October 27, 2025, but no CVSS score or patches have been published yet, and no exploits are known to be active in the wild. MikroTik devices are widely deployed globally, including in European enterprise and service provider networks, making this vulnerability particularly concerning. The WebFig interface is typically accessible via HTTP on the device’s management IP, and if exposed to untrusted networks, it increases the attack surface significantly. The lack of authentication requirement and the ability to execute arbitrary code remotely elevate the risk substantially. This vulnerability could be leveraged to disrupt network operations, exfiltrate sensitive data, or pivot to other internal systems.

For European organizations, the impact of CVE-2025-61481 could be severe. MikroTik devices are commonly used in enterprise, ISP, and critical infrastructure networks across Europe. Successful exploitation could lead to complete device compromise, allowing attackers to manipulate network traffic, disrupt services, or establish persistent access. This could result in data breaches, service outages, and damage to organizational reputation. Critical sectors such as telecommunications, finance, government, and energy, which rely heavily on network infrastructure, would be particularly vulnerable. The ability to execute arbitrary code remotely without authentication increases the likelihood of exploitation, potentially enabling widespread attacks if devices are exposed to the internet or insufficiently segmented internal networks. The absence of patches at the time of disclosure means organizations must rely on interim mitigations to protect their environments. Additionally, compromised devices could be used as launch points for attacks against other European networks, amplifying the threat landscape.

1. Immediately restrict access to the WebFig management interface by limiting it to trusted internal networks only, using firewall rules or access control lists (ACLs). 2. Disable HTTP access to WebFig and, if possible, use secure management protocols such as HTTPS or SSH for device administration. 3. Implement network segmentation to isolate management interfaces from general user and internet-facing networks. 4. Monitor network traffic and device logs for unusual activity or unauthorized access attempts targeting the WebFig interface. 5. Apply strict authentication and authorization controls on management interfaces, even if the vulnerability bypasses authentication, to reduce attack surface. 6. Stay alert for official patches or firmware updates from MikroTik and apply them promptly once available. 7. Conduct regular vulnerability assessments and penetration testing focusing on network device management interfaces. 8. Educate network administrators about this vulnerability and enforce best practices for device hardening and secure configuration. 9. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 10. Maintain an incident response plan specifically addressing network device compromises to enable rapid containment and recovery.