MikroTik – URGENT Security Advisory

Rate post

We point out that a rogue botnet is currently scanning random public IP addresses to find open Winbox (8291) and WWW (80) ports, to exploit a vulnerability in the RouterOS WWW server that was patched more than a year ago (in RouterOS v6.38.5, March 2017).

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button if you haven't done so within the last year.

Your devices are safe if the port 80 is firewalled, or if you have upgraded to v6.38.5 or newer. If you are using our home access point devices with default configuration, they are firewalled from the factory and you should also be safe, but please upgrade nevertheless.

The vulnerability in question was fixed in March 2017:

Current release chain:

What's new in 6.38.5 (2017-Mar-09 11:32):

  • !) www - fixed http server vulnerability;

And also Bugfix release chain:

What's new in 6.37.5 (2017-Mar-09 11:54):

  • !) www - fixed http server vulnerability;

Currently, this botnet only spreads and scans. It doesn't do anything else, but we still suggest to change your password and upgrade your firewall, just in case. Recommendations about securing your router: https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router


What is affected?

  • WebFig with standard port 80 and no firewall rules
  • Winbox has nothing to do with the vulnerability, Winbox port is only used by the scanners to identify MikroTik brand devices. Then it proceeds to exploit WebFig through port 80.

Am I safe?

  • If you upgraded your router in the last ~12 months: you are safe.
  • If you had "ip service" "www" disabled: you are safe.
  • If you had firewall configured for port "80": you are safe.
  • If you only had a Hotspot in your LAN, but WebFig was not available: you are safe.
  • If you only had User Manager in your LAN, but WebFig was not available: you are safe.
  • If you had another Winbox port before this: you are safe from the scan, but not from the infection.
  • If you had "winbox" disabled, you are safe from the scan, not from the infection.
  • If you had "ip service" "allowed-from" set to specific network: you are safe if that network was not infected.
  • If you had "WebFig" visible to LAN network, you could be infected by an infected device in your LAN.

How to detect and cure?

  • Upgrading to v6.38.5 or newer will remove the bad files, stop the infection and prevent anything similar in the future.
  • If you upgrade your device and you still see attempts to access Telnet from your network - run Tool/Torch and find out the source of the traffic. It will not be the router itself, but another device in the local network, which is also affected and requires an upgrade.


More information can be found here: https://forum.mikrotik.com/viewtopic.php?f=21&t=132499.

For queries or assistance with the implementation of these important updates, please do not hesitate to contact us.


Get further information and support:

Gladly, we will call you back in case you have further inquiries.

    By continuing to use the site, you agree to the use of cookies. More information

    Die Cookie-Einstellungen auf dieser Website sind auf "Cookies zulassen" eingestellt, um das beste Surferlebnis zu ermöglichen. Wenn du diese Website ohne Änderung der Cookie-Einstellungen verwendest oder auf "Akzeptieren" klickst, erklärst du sich damit einverstanden.