Skip to main content

MikroTik RouterOS CVE-2025-42611

| EUVDEUVD-2025-209639 MEDIUM
Improper Certificate Validation (CWE-295)
2026-05-05 ENISA GHSA-qqqc-gw7p-pw85
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 05, 2026 - 11:30 vuln.today

DescriptionCVE.org

RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others.

The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others.

AnalysisAI

RouterOS fails to properly validate certificate scope across its shared system certificate store, allowing any trusted certificate authority to authenticate in contexts beyond its intended scope. This vulnerability enables partial or full authentication bypass in OpenVPN, CAPsMAN, and 802.1X (Dot1x) services, affecting all RouterOS versions that use the vulnerable shared certificate validation logic. The vulnerability requires network access but no user interaction or authentication, making it remotely exploitable against default configurations.

Technical ContextAI

RouterOS implements multiple security-sensitive services (OpenVPN, CAPsMAN, Dot1x/802.1X) that rely on X.509 certificate validation to authenticate clients and servers. The underlying vulnerability stems from CWE-295 (Improper Certificate Validation), specifically a scope-confusion flaw where the system maintains a single shared certificate trust store used equally by all services. Rather than enforcing role-based or context-specific certificate validation policies, RouterOS trusts any certificate authority present in this system-wide store for any protocol context. This creates a confusion-of-authority problem: a CA certificate legitimately added to authenticate clients in one service context (e.g., OpenVPN) becomes automatically trusted in other contexts (e.g., CAPsMAN or Dot1x) where it should not be. The affected CPE indicates all RouterOS versions are potentially vulnerable, though patch availability and exact vulnerable version ranges are not confirmed in the provided data.

RemediationAI

Vendor patch information is not confirmed in the provided data. Network administrators should immediately consult the MikroTik advisory and CERT.SI link (https://www.cert.si/en/cve-2025-42611/) for patched RouterOS versions and deployment guidance. Pending patch availability, implement the following compensating controls: (1) Restrict network access to OpenVPN, CAPsMAN, and 802.1X services using firewall rules and access control lists, limiting exposure to trusted administrative networks only-this reduces remote attack surface at the cost of service availability if remote access is required. (2) Review and minimize the system certificate trust store, removing any CA certificates that are not strictly necessary for each service's authentication context-this directly addresses the scope-confusion flaw but requires careful inventory of legitimate certificate use. (3) Implement network segmentation to isolate RouterOS management traffic and service authentication flows from untrusted network segments, reducing the likelihood that an attacker can present a malicious certificate. (4) Monitor and log certificate validation failures in OpenVPN, CAPsMAN, and Dot1x services for anomalous authentication attempts. Note that these mitigations reduce attack surface but do not eliminate the underlying validation flaw; patch deployment is essential for complete remediation.

CVE-2017-17538 HIGH POC
7.5 Dec 13

MikroTik v6.40.5 devices allow remote attackers to cause a denial of service via a flood of ICMP packets. Rated high sev

CVE-2017-7285 HIGH POC
7.5 Mar 29

A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remot

CVE-2017-6444 HIGH POC
7.5 Mar 12

The MikroTik Router hAP Lite 6.25 has no protection mechanism for unsolicited TCP ACK packets in the case of a fast netw

CVE-2022-34960 CRITICAL POC
9.8 Aug 25

The container package in MikroTik RouterOS 7.4beta4 allows an attacker to create mount points pointing to symbolic links

CVE-2020-13118 CRITICAL POC
9.8 May 16

An issue was discovered in Mikrotik-Router-Monitoring-System through 2018-10-22. Rated critical severity (CVSS 9.8), thi

CVE-2018-7445 CRITICAL POC
9.8 Mar 19

A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Rated

CVE-2018-14847 CRITICAL POC
9.1 Aug 02

MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated

CVE-2022-45313 HIGH POC
8.8 Dec 05

Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. Rated high

CVE-2018-1156 HIGH POC
8.8 Aug 23

Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buffer overflow through the license upgrade interface.

CVE-2012-6050 MEDIUM POC
6.4 Nov 27

The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consu

CVE-2021-27221 HIGH POC
8.1 Mar 19

MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /expo

CVE-2019-3943 HIGH POC
8.1 Apr 10

MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are v

Share

CVE-2025-42611 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy