CVE-2019-3977

Summary

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into "upgrading" to an older version of RouterOS and possibly reseting all the system's usernames and passwords.

Affected Software

VendorProductVersion RangeStatus
n/aMikroTik RouterOSRouterOS 6.45.6 Stable and below. RouterOS 6.44.5 Long-term and below.affected

Weaknesses

  • CWE-494: CWE-494 Insufficient checks on origin

ADP Enrichment

CVE Program Container

Additional References

References