Security News > 2023 > July > Super Admin elevation bug puts 900,000 MikroTik devices at risk
A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected.
The Mikrotik CVE-2023-30799 vulnerability was first disclosed without an identifier in June 2022, and MikroTik fixed the issue in October 2022 for RouterOS stable and on July 19, 2023, for RouterOS Long-term.
Unlike the admin account, which offers restricted elevated privileges, Super Admin gives full access to the RouteOS operating system.
The exploit still requires authentication as "Admin," however, VulnCheck explains that RouterOS ships with a fully functional admin user by default, which nearly 60% of MikroTik devices still use despite the vendor's hardening guidance suggesting its deletion.
The default admin password was an empty string until October 2021, when this issue was fixed with the release of RouterOS 6.49.
Finally, RouterOS does not impose admin password strengthening requirements, so users may set anything they like, which makes them susceptible to brute-forcing attacks, for which MikroTik does not offer any protection except on the SSH interface.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-07-19 | CVE-2023-30799 | Unspecified vulnerability in Mikrotik Routeros MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. | 7.2 |