CVE-2023-30799

2023-07-1915:15:10

CWE-269

VulnCheck

web.nvd.nist.gov

155

mikrotik

routeros

cve-2023-30799

vulnerability

privilege escalation

winbox

http

remote attacker

authenticated attacker

arbitrary code

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

44.2%

JSON

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system.

Affected configurations

Nvd

Node

mikrotikrouterosRange≤6.48.7ltr

mikrotikrouterosRange6.34–6.49.7-

VendorProductVersionCPE
mikrotikrouteros*cpe:2.3:o:mikrotik:routeros:*:*:*:*:ltr:*:*:*
mikrotikrouteros*cpe:2.3:o:mikrotik:routeros:*:*:*:*:-:*:*:*

Vendor	Product	Version	CPE
mikrotik	routeros	*	cpe:2.3:o:mikrotik:routeros:::::ltr:::*
mikrotik	routeros	*	cpe:2.3:o:mikrotik:routeros:::::-:::*

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "x86",
      "ARM",
      "64 bit",
      "mips",
      "ppc"
    ],
    "product": "RouterOS",
    "vendor": "MikroTik",
    "versions": [
      {
        "lessThan": "6.49.7",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "6.48.6",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]