MikroTik RouterOS - 14 CVEs (Page 1/1)

About “MikroTik RouterOS”

A curated feed of “MikroTik RouterOS”-related CVEs appears below. We currently track 14 CVEs for this tag (all time). In the last 365 days, 7 were published. Average CVSS is 6.9 (all time; 7.3 over 365d), and 36% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-400 - Uncontrolled Resource Consumption, CWE-295 - Improper Certificate Validation.

In our taxonomy this topic maps to a LOW impact class. Network and security appliances sit on critical paths. Restrict management exposure, back up configs, and schedule firmware updates with policy validation. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: routeros

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

Cycle	Release	Latest	EOL	LTS
7.22	2026-03-10	7.22.3	-
7.21	2026-01-12	7.21.4	-	LTS
7.20	2025-09-30	7.20.8	2026-01-12 Expired	LTS
7.19	2025-05-22	7.19.6	2025-09-30 Expired
7.18	2025-02-24	7.18.2	2025-05-22 Expired
7.17	2025-01-16	7.17.2	2025-02-24 Expired
7.16	2024-09-24	7.16.2	2025-01-16 Expired
7.15	2024-05-30	7.15.3	2024-09-24 Expired
7.14	2024-03-25	7.14.3	2024-05-30 Expired
7.13	2023-12-14	7.13.5	2024-03-25 Expired
7.12	2023-11-09	7.12.2	2023-12-14 Expired
7.11	2023-08-15	7.11.3	2023-11-09 Expired
7.10	2023-06-15	7.10.2	2023-08-15 Expired
7.9	2023-05-02	7.9.2	2023-06-15 Expired
7.8	2023-02-24	7.8	2023-05-02 Expired
7.7	2023-01-12	7.7	2023-02-24 Expired
7.6	2022-10-17	7.6	2023-01-12 Expired
7.5	2022-08-30	7.5	2022-10-17 Expired
7.4	2022-07-19	7.4.1	2022-08-30 Expired
7.3	2022-06-06	7.3.1	2022-07-19 Expired
7.2	2022-03-31	7.2.3	2022-06-06 Expired
7.1	2021-12-01	7.1.5	2022-03-31 Expired
6.49	2021-10-06	6.49.19	2025-09-30 Expired	LTS
6.48	2020-12-22	6.48.7	- Expired
6.47	2020-06-02	6.47.10	- Expired
6.46	2019-12-02	6.46.8	- Expired	LTS
6.45	2019-06-21	6.45.9	- Expired	LTS
6.44	2019-02-25	6.44.6	- Expired	LTS
6.43	2018-09-06	6.43.16	- Expired	LTS
6.42	2018-04-13	6.42.12	- Expired	LTS
6.41	2017-12-22	6.41.4	- Expired
6.40	2017-07-21	6.40.9	- Expired	LTS
6.39	2017-04-27	6.39.3	- Expired	LTS
6.38	2016-12-30	6.38.7	- Expired	LTS
6.37	2016-09-23	6.37.5	- Expired	LTS
6.36	2016-07-20	6.36.3	- Expired
6.35	2016-04-14	6.35.4	- Expired
6.34	2016-01-29	6.34.6	- Expired	LTS
6.33	2015-11-06	6.33.6	- Expired
6.32	2015-09-07	6.32.4	- Expired	LTS
6.30	2015-07-08	6.30.4	- Expired	LTS
6.29	2015-05-27	6.29.1	- Expired
6.28	2015-04-15	6.28	- Expired
6.27	2015-02-11	6.27	- Expired
6.26	2015-02-03	6.26	- Expired
6.25	2015-01-19	6.25	- Expired
6.24	2014-12-23	6.24	- Expired
6.23	2014-12-04	6.23	- Expired
6.22	2014-11-11	6.22	- Expired
6.20	2014-10-01	6.21.1	- Expired
6.19	2014-08-26	6.19	- Expired
6.18	2014-08-01	6.18	- Expired
6.17	2014-07-18	6.17	- Expired
6.16	2014-07-17	6.16	- Expired
6.15	2014-06-12	6.15	- Expired
6.14	2014-06-06	6.14	- Expired
6.13	2014-05-15	6.13	- Expired
6.12	2014-04-14	6.12	- Expired
6.11	2014-03-20	6.11	- Expired
6.10	2014-02-12	6.10	- Expired
6.9	2014-01-31	6.9	- Expired
6.7	2013-11-29	6.7	- Expired
6.6	2013-11-07	6.6	- Expired
6.5	2013-10-16	6.5	- Expired
6.4	2013-09-12	6.4	- Expired
5.26	2013-09-04	5.26	- Expired
6.3	2013-09-03	6.3	- Expired
6.2	2013-08-02	6.2	- Expired
6.1	2013-06-12	6.1	- Expired
6.0	2013-05-17	6.0	- Expired
5.25	2013-04-25	5.25	- Expired
5.24	2013-02-19	5.24	- Expired
5.23	2013-01-29	5.23	- Expired
5.22	2012-11-23	5.22	- Expired
5.21	2012-10-12	5.21	- Expired
5.20	2012-08-15	5.20	- Expired
5.19	2012-07-16	5.19	- Expired
5.18	2012-06-21	5.18	- Expired
5.17	2012-05-28	5.17	- Expired
5.16	2012-05-09	5.16	- Expired
5.14	2012-02-22	5.14	- Expired
5.13	2012-02-14	5.13	- Expired
5.12	2012-01-19	5.12	- Expired
5.11	2011-12-12	5.11	- Expired
5.9	2011-11-29	5.9	- Expired
5.8	2011-11-01	5.8	- Expired
5.7	2011-09-14	5.7	- Expired
4.17	2011-03-02	4.17	- Expired
4.10	2010-05-26	4.10	- Expired
3.30	2009-09-11	3.30	- Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS · RSS (expired) · ICS

Subscribe CVEs: RSS for “MikroTik RouterOS” · RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0

2026-05-08

High

CVE-2024-27686

Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445.

CVSS: 7.5 CWE: CWE-400 - Uncontrolled Resource Consumption View on NVD

2026-05-05

Medium

CVE-2025-42611

RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x…

CVSS: 6.5 CWE: CWE-295 - Improper Certificate Validation View on NVD

2026-05-02

High

CVE-2026-7668

A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the library nova/lib/www/scep.p of the component SCEP Endpoint. The manipulatio…

CVSS: 7.3 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD

2025-10-27

Critical

CVE-2025-61481

An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the admin…

CVSS: 10.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD

2025-09-25

High

CVE-2025-10948

A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component libjson.so. The manipulation leads to buffer ov…

CVSS: 8.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD

2025-07-03

Medium

CVE-2025-6563

A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victi…

CVSS: 4.8 CWE: CWE-20 - Improper Input Validation View on NVD

2025-06-30

Medium

CVE-2023-47310

A misconfiguration in the default settings of MikroTik RouterOS 7 and fixed in v7.14 allows incoming IPv6 UDP traceroute packets.

CVSS: 6.5 CWE: CWE-1174 - ASP.NET Misconfiguration: Improper Model Validation View on NVD

2025-02-11

Medium

CVE-2024-54772

An issue was discovered in the Winbox service of MikroTik RouterOS long-term release v6.43.13 through v6.49.13 and stable v6.43 through v7.17.2. A patch is available in the stable release v6.49.18. A…

CVSS: 5.4 CWE: CWE-208 - Observable Timing Discrepancy View on NVD

2022-12-05

Medium

CVE-2022-45315

Mikrotik RouterOs before stable v7.6 was discovered to contain an out-of-bounds read in the snmp process. This vulnerability allows authenticated attackers to execute arbitrary code via a crafted pac…

CVSS: 6.4 CWE: CWE-125 - Out-of-bounds Read View on NVD

2017-02-27

Medium

CVE-2017-6297

The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not enable IPsec encryption after a reboot, which allows man-in-the-middle attackers to view transmitted data unencrypted and gain…

CVSS: 5.9 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD

2015-03-19

Medium

CVE-2015-2350

Cross-site request forgery (CSRF) vulnerability in MikroTik RouterOS 5.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD

2012-11-27

Medium

CVE-2012-6050

The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consumption), read the router version, and possibly have other impacts via a request…

CVSS: 6.4 CWE: CWE-16 View on NVD

2009-08-19

Medium

CVE-2008-6976

MikroTik RouterOS 3.x through 3.13 and 2.x through 2.9.51 allows remote attackers to modify Network Management System (NMS) settings via a crafted SNMP set request.

CVSS: 6.4 CWE: CWE-20 - Improper Input Validation View on NVD

2008-02-12

High

CVE-2008-0680

SNMPd in MikroTik RouterOS 3.2 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted SNMP SET request.

CVSS: 7.8 CWE: N/A View on NVD