Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-61481 PoC — MikroTik RouterOS 安全漏洞

Source
https://github.com/B1ack4sh/Blackash-CVE-2025-61481
Associated Vulnerability
Title:MikroTik RouterOS 安全漏洞 (CVE-2025-61481)
Description:MikroTik RouterOS是拉脱维亚MikroTik公司的一套基于Linux开发的路由器操作系统。该系统可部署在PC中,使其提供路由器功能。 MikroTik RouterOS 7.14.2版本和SwitchOS 2.18版本存在安全漏洞,该漏洞源于HTTP-only WebFig管理组件存在缺陷,可能导致远程执行任意代码。
Description
CVE-2025-61481
Readme
# 🚨 **CVE-2025-61481 — Critical MikroTik WebFig Vulnerability (RCE + Credential Exposure)**  

🕒 Published: 2025 | 💣 CVSS 10.0 (Critical) | 🌐 Affects: RouterOS v7.14.2 & SwitchOS v2.18  

---

### 🧩 Overview

![G4aHxKVWwAAVvwW](https://github.com/user-attachments/assets/ec39199e-8e00-4f3a-9859-142828f4a818)

A newly disclosed vulnerability, **CVE-2025-61481**, impacts **MikroTik RouterOS (v7.14.2)** and **SwitchOS (v2.18)**.  
The issue lies in the **WebFig** management interface, which by default uses **HTTP (unencrypted)** instead of HTTPS.  

This configuration sends login credentials and session data in cleartext — allowing attackers on the same network (or a man-in-the-middle position) to intercept, manipulate, and potentially gain **remote code execution (RCE)** on affected devices.  

---

### ⚠️ Severity
- **CVSS v3.1 Base Score:** 10.0 — _Critical_  
- **Vector:** `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L`  
- **Impact:** Complete takeover of device management, credential theft, and configuration tampering.  

---

### 🔍 Technical Summary
- WebFig defaults to **HTTP (port 80)** without automatic HTTPS redirection.  
- Credentials are stored in **sessionStorage** and transmitted unencrypted.  
- Traffic interception enables credential harvesting or session hijacking.  
- Once authenticated, attackers may execute arbitrary commands on the device.  

---

### 🧠 Attack Scenario
1. An attacker on the same network performs a **MitM** attack (e.g., ARP spoofing).  
2. The victim logs into WebFig via HTTP.  
3. Credentials are captured in transit.  
4. Attacker logs into the router, executes arbitrary commands, or changes configs remotely.  

---

### 🛡️ Mitigation & Defense
✅ **1. Disable HTTP** — Enable and enforce **HTTPS** on WebFig.  
✅ **2. Restrict Management Access** — Limit to a trusted admin VLAN or IP range.  
✅ **3. Use Encrypted Channels** — Prefer **SSH** or **VPN tunnels** for administration.  
✅ **4. Monitor Logs** — Watch for unusual logins or port 80 traffic.  
✅ **5. Patch Immediately** — Apply MikroTik’s firmware update once released.  

---

### 🧭 Recommendations
If you’re managing MikroTik devices:
- Audit your routers/switches today.  
- Force HTTPS for all WebFig access.  
- Review your device firewall to block external HTTP management traffic.  

---

### 🗣️ Closing Note
This CVE is a strong reminder that **“default” ≠ “secure.”**  
Even robust platforms like MikroTik can expose critical surfaces when encryption isn’t enforced by default.  

🔒 Always assume unencrypted management = compromised credentials.
File Snapshot

 [4.0K]  /data/pocs/746e9ee42bc603884582410e262ae8a73379a98d
└── [2.6K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.