Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the library nova/lib/www/scep.p of the component SCEP Endpoint. The manipulation of the argument transactionID/messageType leads to out-of-bounds read. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Out-of-bounds read in MikroTik RouterOS 6.49.8 SCEP endpoint allows remote unauthenticated attackers to trigger memory disclosure and potential service disruption via malformed transactionID or messageType parameters. Public exploit code exists on GitHub. CVSS 7.3 reflects network-accessible attack surface with low complexity, though impact is rated limited across confidentiality, integrity, and availability. Vendor non-responsive to coordinated disclosure attempts.
Technical ContextAI
This vulnerability resides in the SCEP (Simple Certificate Enrollment Protocol) implementation within MikroTik RouterOS, specifically in the ASN1_STRING_data function of nova/lib/www/scep.p library. SCEP is used for automated certificate provisioning and management. The flaw is classified as CWE-125 (Out-of-bounds Read), occurring when the SCEP endpoint processes ASN.1 encoded certificate enrollment messages without proper bounds validation on transactionID or messageType fields. ASN.1 parsing vulnerabilities are common in cryptographic protocol implementations where variable-length encoded data structures can trigger memory access violations if length fields are not sanitized before dereferencing pointers. The affected CPE indicates MikroTik RouterOS as the vulnerable product family, with version 6.49.8 explicitly confirmed.
RemediationAI
No vendor-released patch identified at time of analysis despite early coordinated disclosure attempts. Immediate mitigation: disable SCEP endpoint access via firewall rules (IP > Firewall > Filter Rules) to block external access to TCP port 80/443 SCEP paths, typically /scep or /.well-known/est. For organizations requiring SCEP functionality, restrict access to trusted certificate authority IP ranges only. Trade-off: disabling SCEP breaks automated certificate enrollment workflows, requiring manual certificate installation. Consider upgrading to RouterOS 7.x stable branch if compatible with hardware, as the vulnerability description specifies 6.49.8, though migration requires testing for configuration compatibility. Monitor MikroTik security advisories at https://mikrotik.com/support/security for future patches. Implement network segmentation to prevent router management interfaces from direct internet exposure. Temporary workaround effectiveness depends on whether SCEP is operationally required; if not, disabling the service eliminates attack vector entirely.
MikroTik v6.40.5 devices allow remote attackers to cause a denial of service via a flood of ICMP packets. Rated high sev
A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remot
The MikroTik Router hAP Lite 6.25 has no protection mechanism for unsolicited TCP ACK packets in the case of a fast netw
The container package in MikroTik RouterOS 7.4beta4 allows an attacker to create mount points pointing to symbolic links
An issue was discovered in Mikrotik-Router-Monitoring-System through 2018-10-22. Rated critical severity (CVSS 9.8), thi
A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Rated
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated
Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. Rated high
Mikrotik RouterOS before 6.42.7 and 6.40.9 is vulnerable to stack buffer overflow through the license upgrade interface.
The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consu
MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /expo
MikroTik RouterOS versions Stable 6.43.12 and below, Long-term 6.42.12 and below, and Testing 6.44beta75 and below are v
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26801