Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others.
The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others.
AnalysisAI
RouterOS fails to properly validate certificate scope across its shared system certificate store, allowing any trusted certificate authority to authenticate in contexts beyond its intended scope. This vulnerability enables partial or full authentication bypass in OpenVPN, CAPsMAN, and 802.1X (Dot1x) services, affecting all RouterOS versions that use the vulnerable shared certificate validation logic. The vulnerability requires network access but no user interaction or authentication, making it remotely exploitable against default configurations.
Technical ContextAI
RouterOS implements multiple security-sensitive services (OpenVPN, CAPsMAN, Dot1x/802.1X) that rely on X.509 certificate validation to authenticate clients and servers. The underlying vulnerability stems from CWE-295 (Improper Certificate Validation), specifically a scope-confusion flaw where the system maintains a single shared certificate trust store used equally by all services. Rather than enforcing role-based or context-specific certificate validation policies, RouterOS trusts any certificate authority present in this system-wide store for any protocol context. This creates a confusion-of-authority problem: a CA certificate legitimately added to authenticate clients in one service context (e.g., OpenVPN) becomes automatically trusted in other contexts (e.g., CAPsMAN or Dot1x) where it should not be. The affected CPE indicates all RouterOS versions are potentially vulnerable, though patch availability and exact vulnerable version ranges are not confirmed in the provided data.
RemediationAI
Vendor patch information is not confirmed in the provided data. Network administrators should immediately consult the MikroTik advisory and CERT.SI link (https://www.cert.si/en/cve-2025-42611/) for patched RouterOS versions and deployment guidance. Pending patch availability, implement the following compensating controls: (1) Restrict network access to OpenVPN, CAPsMAN, and 802.1X services using firewall rules and access control lists, limiting exposure to trusted administrative networks only-this reduces remote attack surface at the cost of service availability if remote access is required. (2) Review and minimize the system certificate trust store, removing any CA certificates that are not strictly necessary for each service's authentication context-this directly addresses the scope-confusion flaw but requires careful inventory of legitimate certificate use. (3) Implement network segmentation to isolate RouterOS management traffic and service authentication flows from untrusted network segments, reducing the likelihood that an attacker can present a malicious certificate. (4) Monitor and log certificate validation failures in OpenVPN, CAPsMAN, and Dot1x services for anomalous authentication attempts. Note that these mitigations reduce attack surface but do not eliminate the underlying validation flaw; patch deployment is essential for complete remediation.
MikroTik v6.40.5 devices allow remote attackers to cause a denial of service via a flood of ICMP packets. Rated high sev
A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remot
The MikroTik Router hAP Lite 6.25 has no protection mechanism for unsolicited TCP ACK packets in the case of a fast netw
The container package in MikroTik RouterOS 7.4beta4 allows an attacker to create mount points pointing to symbolic links
An issue was discovered in Mikrotik-Router-Monitoring-System through 2018-10-22. Rated critical severity (CVSS 9.8), thi
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Rated
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated
Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. Rated high
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buffer overflow through the license upgrade interface.
The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consu
MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /expo
MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are v
Same weakness CWE-295 – Improper Certificate Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209639
GHSA-qqqc-gw7p-pw85