CVE-2023-30799 MikroTik RouterOS Administrator Privilege Escalation

2023-07-1914:56:17

CWE-269

VulnCheck

www.cve.org

mikrotik

routeros

privilege escalation

cve-2023-30799

winbox

http

arbitrary code

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS

0.001

Percentile

44.2%

JSON

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "x86",
      "ARM",
      "64 bit",
      "mips",
      "ppc"
    ],
    "product": "RouterOS",
    "vendor": "MikroTik",
    "versions": [
      {
        "lessThan": "6.49.7",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      },
      {
        "lessThanOrEqual": "6.48.6",
        "status": "affected",
        "version": "0",
        "versionType": "semver"
      }
    ]
  }
]