📄 Description (English)
MikroTik Router OS Directory Traversal Vulnerability — MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.
🤖 AI Executive Summary
CVE-2018-14847 is a critical directory traversal vulnerability in MikroTik RouterOS through version 6.42 that allows unauthenticated remote attackers to read arbitrary files (including credentials) and authenticated attackers to write arbitrary files via the WinBox interface (port 8291). This vulnerability has been actively exploited in the wild by multiple threat actors including VPNFilter malware and cryptomining campaigns. With a CVSS score of 9.0 and publicly available exploit code, this represents an immediate threat to any organization running unpatched MikroTik devices. Despite being disclosed in 2018, many devices remain unpatched globally, making this a persistent and high-priority risk.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 10, 2026 09:01
🇸🇦 Saudi Arabia Impact Assessment
MikroTik routers are widely deployed across Saudi Arabia, particularly in small-to-medium enterprises, ISPs, and as edge routers in various sectors. The telecom sector (STC, Mobily, Zain) and their downstream customers are at significant risk as MikroTik devices are commonly used in last-mile connectivity. Government agencies and educational institutions in Saudi Arabia frequently use MikroTik for network infrastructure. Energy sector facilities including ARAMCO contractors and subcontractors may use MikroTik devices in operational networks. Banking institutions regulated by SAMA could be affected if MikroTik devices are present in branch office networks. Compromised routers can be used as pivot points for lateral movement, credential harvesting, traffic interception, and as part of botnets targeting Saudi critical infrastructure.
🏢 Affected Saudi Sectors
Telecommunications
Government
Banking
Energy
Healthcare
Education
Small and Medium Enterprises
Internet Service Providers
Retail
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all MikroTik RouterOS devices in your network using asset discovery tools and port scanning for WinBox (TCP 8291)
2. Block external access to WinBox port 8291 immediately via perimeter firewall rules
3. Upgrade all MikroTik RouterOS devices to version 6.43 or later (current stable recommended)
PATCHING GUIDANCE:
- MikroTik released patches in RouterOS 6.42.1 (bugfix) and 6.43 (current)
- Download firmware from https://mikrotik.com/download
- Test updates in a staging environment before production deployment
- After updating, change ALL router credentials as previous credentials may have been exfiltrated
COMPENSATING CONTROLS:
- Restrict WinBox access to specific management VLANs and IP addresses only
- Disable WinBox if not needed and use SSH instead
- Implement network segmentation to isolate management interfaces
- Enable logging on MikroTik devices and forward to SIEM
- Monitor for indicators of compromise: unauthorized user accounts, modified scheduled scripts, unexpected firewall rules, SOCKS proxy configurations
DETECTION RULES:
- Monitor for connections to TCP port 8291 from untrusted sources
- Alert on Snort/Suricata rule SID:1:45717 for WinBox exploitation attempts
- Search for known exploit tools: winbox_exploit, RouterOS_Tools, CVE-2018-14847 PoC
- Check for unauthorized DNS changes and traffic redirection on MikroTik devices
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع أجهزة MikroTik RouterOS في شبكتك باستخدام أدوات اكتشاف الأصول ومسح المنافذ لـ WinBox (TCP 8291)
2. حظر الوصول الخارجي إلى منفذ WinBox 8291 فوراً عبر قواعد جدار الحماية المحيطي
3. ترقية جميع أجهزة MikroTik RouterOS إلى الإصدار 6.43 أو أحدث (يُوصى بالإصدار المستقر الحالي)
إرشادات التحديث:
- أصدرت MikroTik تصحيحات في RouterOS 6.42.1 (إصلاح أخطاء) و 6.43 (الحالي)
- تنزيل البرنامج الثابت من https://mikrotik.com/download
- اختبار التحديثات في بيئة اختبار قبل النشر في الإنتاج
- بعد التحديث، تغيير جميع بيانات اعتماد الراوتر حيث قد تكون بيانات الاعتماد السابقة قد تم تسريبها
الضوابط التعويضية:
- تقييد الوصول إلى WinBox لشبكات VLAN الإدارية وعناوين IP محددة فقط
- تعطيل WinBox إذا لم يكن مطلوباً واستخدام SSH بدلاً منه
- تنفيذ تجزئة الشبكة لعزل واجهات الإدارة
- تمكين التسجيل على أجهزة MikroTik وإعادة توجيهها إلى SIEM
- مراقبة مؤشرات الاختراق: حسابات مستخدمين غير مصرح بها، نصوص مجدولة معدلة، قواعد جدار حماية غير متوقعة، تكوينات وكيل SOCKS
قواعد الكشف:
- مراقبة الاتصالات بمنفذ TCP 8291 من مصادر غير موثوقة
- التنبيه على قاعدة Snort/Suricata SID:1:45717 لمحاولات استغلال WinBox
- البحث عن أدوات الاستغلال المعروفة
- التحقق من تغييرات DNS غير المصرح بها وإعادة توجيه حركة المرور على أجهزة MikroTik
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2-3-1 (Network Security Management)
ECC 2-3-4 (Patch Management)
ECC 2-5-1 (Vulnerability Management)
ECC 2-2-1 (Asset Management)
ECC 2-3-2 (Access Control for Network Devices)
🔵 SAMA CSF
SAMA CSF 3.3.3 (Network Security)
SAMA CSF 3.3.5 (Patch Management)
SAMA CSF 3.3.7 (Vulnerability Management)
SAMA CSF 3.3.4 (Secure Configuration)
SAMA CSF 3.1.3 (Asset Management)
🟡 ISO 27001:2022
A.8.8 (Management of technical vulnerabilities)
A.8.9 (Configuration management)
A.8.20 (Networks security)
A.8.21 (Security of network services)
A.5.7 (Threat intelligence)
🟣 PCI DSS v4.0
PCI DSS 6.3.3 (Patching security vulnerabilities)
PCI DSS 1.2.1 (Restrict inbound and outbound traffic)
PCI DSS 2.2.1 (System configuration standards)
PCI DSS 11.3 (Vulnerability scanning)
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
MikroTik:RouterOS