Skip to main content

MikroTik RouterOS CVE-2026-7668

| EUVDEUVD-2026-26801 MEDIUM
Out-of-bounds Read (CWE-125)
2026-05-02 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Severity Changed
May 02, 2026 - 21:22 NVD
HIGH MEDIUM
CVSS changed
May 02, 2026 - 21:22 NVD
7.3 (HIGH) 5.5 (MEDIUM)
PoC Detected
May 02, 2026 - 21:16 vuln.today
Public exploit code
Analysis Generated
May 02, 2026 - 21:00 vuln.today
EUVD ID Assigned
May 02, 2026 - 20:30 euvd
EUVD-2026-26801
Analysis Generated
May 02, 2026 - 20:30 vuln.today
CVE Published
May 02, 2026 - 20:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the library nova/lib/www/scep.p of the component SCEP Endpoint. The manipulation of the argument transactionID/messageType leads to out-of-bounds read. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Out-of-bounds read in MikroTik RouterOS 6.49.8 SCEP endpoint allows remote unauthenticated attackers to trigger memory disclosure and potential service disruption via malformed transactionID or messageType parameters. Public exploit code exists on GitHub. CVSS 7.3 reflects network-accessible attack surface with low complexity, though impact is rated limited across confidentiality, integrity, and availability. Vendor non-responsive to coordinated disclosure attempts.

Technical ContextAI

This vulnerability resides in the SCEP (Simple Certificate Enrollment Protocol) implementation within MikroTik RouterOS, specifically in the ASN1_STRING_data function of nova/lib/www/scep.p library. SCEP is used for automated certificate provisioning and management. The flaw is classified as CWE-125 (Out-of-bounds Read), occurring when the SCEP endpoint processes ASN.1 encoded certificate enrollment messages without proper bounds validation on transactionID or messageType fields. ASN.1 parsing vulnerabilities are common in cryptographic protocol implementations where variable-length encoded data structures can trigger memory access violations if length fields are not sanitized before dereferencing pointers. The affected CPE indicates MikroTik RouterOS as the vulnerable product family, with version 6.49.8 explicitly confirmed.

RemediationAI

No vendor-released patch identified at time of analysis despite early coordinated disclosure attempts. Immediate mitigation: disable SCEP endpoint access via firewall rules (IP > Firewall > Filter Rules) to block external access to TCP port 80/443 SCEP paths, typically /scep or /.well-known/est. For organizations requiring SCEP functionality, restrict access to trusted certificate authority IP ranges only. Trade-off: disabling SCEP breaks automated certificate enrollment workflows, requiring manual certificate installation. Consider upgrading to RouterOS 7.x stable branch if compatible with hardware, as the vulnerability description specifies 6.49.8, though migration requires testing for configuration compatibility. Monitor MikroTik security advisories at https://mikrotik.com/support/security for future patches. Implement network segmentation to prevent router management interfaces from direct internet exposure. Temporary workaround effectiveness depends on whether SCEP is operationally required; if not, disabling the service eliminates attack vector entirely.

CVE-2017-17538 HIGH POC
7.5 Dec 13

MikroTik v6.40.5 devices allow remote attackers to cause a denial of service via a flood of ICMP packets. Rated high sev

CVE-2017-7285 HIGH POC
7.5 Mar 29

A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remot

CVE-2017-6444 HIGH POC
7.5 Mar 12

The MikroTik Router hAP Lite 6.25 has no protection mechanism for unsolicited TCP ACK packets in the case of a fast netw

CVE-2022-34960 CRITICAL POC
9.8 Aug 25

The container package in MikroTik RouterOS 7.4beta4 allows an attacker to create mount points pointing to symbolic links

CVE-2020-13118 CRITICAL POC
9.8 May 16

An issue was discovered in Mikrotik-Router-Monitoring-System through 2018-10-22. Rated critical severity (CVSS 9.8), thi

CVE-2018-7445 CRITICAL POC
9.8 Mar 19

A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Rated

CVE-2018-14847 CRITICAL POC
9.1 Aug 02

MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated

CVE-2022-45313 HIGH POC
8.8 Dec 05

Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. Rated high

CVE-2018-1156 HIGH POC
8.8 Aug 23

Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buffer overflow through the license upgrade interface.

CVE-2012-6050 MEDIUM POC
6.4 Nov 27

The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consu

CVE-2021-27221 HIGH POC
8.1 Mar 19

MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /expo

CVE-2019-3943 HIGH POC
8.1 Apr 10

MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are v

Share

CVE-2026-7668 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy