Login Sign Up

CVE-2023-47310

6.5 MEDIUM

📋 TL;DR

A default configuration vulnerability in MikroTik RouterOS 7 allows incoming IPv6 UDP traceroute packets to bypass firewall rules. This affects all MikroTik RouterOS 7 installations with default settings, potentially exposing internal networks to unauthorized access.

💻 Affected Systems

Products:
  • MikroTik RouterOS
Versions: RouterOS 7 versions before 7.14
Operating Systems: RouterOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects IPv6 configurations; systems without IPv6 enabled are not vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could bypass firewall protections entirely, gaining unauthorized access to internal network resources and potentially launching further attacks.

🟠

Likely Case

Network reconnaissance and information leakage about internal network topology and services through IPv6 traceroute responses.

🟢

If Mitigated

Minimal impact if proper firewall rules are configured to block unauthorized IPv6 traffic.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending specially crafted IPv6 UDP traceroute packets to vulnerable devices.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RouterOS 7.14

Vendor Advisory: https://forum.mikrotik.com/t/fixed-in-7-14-security-vulnerability-default-configuration-firewall-bypass-for-ipv6-udp/262186

Restart Required: Yes

Instructions:

1. Log into RouterOS web interface or CLI. 2. Check current version with '/system package update check'. 3. If version is below 7.14, download and install RouterOS 7.14 update. 4. Reboot the router after installation completes.

🔧 Temporary Workarounds

Manual IPv6 Firewall Rule

all

Add explicit firewall rule to block incoming IPv6 UDP traceroute packets

/ipv6 firewall filter add chain=input protocol=udp dst-port=33434-33523 action=drop comment="Block IPv6 traceroute"

🧯 If You Can't Patch

  • Disable IPv6 entirely if not required for network operations
  • Implement network-level filtering to block IPv6 UDP traceroute packets at upstream devices

🔍 How to Verify

Check if Vulnerable:

Check RouterOS version with '/system resource print' - if version is below 7.14 and IPv6 is enabled, system is vulnerable.

Check Version:

/system resource print

Verify Fix Applied:

After updating to 7.14, verify version with '/system resource print' and test with IPv6 traceroute packets from external network.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected IPv6 UDP packets on ports 33434-33523 in firewall logs
  • Increased IPv6 traffic from external sources

Network Indicators:

  • IPv6 traceroute responses from internal network to external sources
  • Unusual IPv6 UDP traffic patterns

SIEM Query:

source_port IN (33434-33523) AND protocol=udp AND ip_version=6

📊 Metadata

CVE ID: CVE-2023-47310
CVSS v3 Score: 6.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-1174
EPSS Score: 0.06% exploit probability (17.7th percentile)
Published: June 30, 2025
Last Updated: June 30, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON