CVE-2025-10948
📋 TL;DR
A buffer overflow vulnerability in MikroTik RouterOS 7's libjson.so library allows remote attackers to execute arbitrary code or crash affected devices. This affects all systems running vulnerable RouterOS versions, particularly those with REST API exposed. Attackers can exploit this without authentication to potentially gain full control of routers.
💻 Affected Systems
- MikroTik RouterOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, lateral movement to internal networks, data exfiltration, and persistent backdoor installation.
Likely Case
Remote denial of service (router crash/reboot) or limited code execution to modify configurations, intercept traffic, or pivot to internal networks.
If Mitigated
If REST API is disabled or firewalled, impact is limited to denial of service if other attack vectors exist.
🎯 Exploit Status
Public proof-of-concept demonstrates reliable exploitation. The vulnerability is in a core parsing function accessible via REST API.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RouterOS 7.20.1 or 7.21beta2
Vendor Advisory: https://help.mikrotik.com/docs/display/ROS/Changelog
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download RouterOS 7.20.1 or newer from MikroTik website. 3. Upload package to router via WinBox/WebFig. 4. Install update. 5. Reboot router. 6. Verify version with '/system package update print'.
🔧 Temporary Workarounds
Disable REST API
allDisable the vulnerable REST API interface to prevent remote exploitation
/ip service disable www-ssl
/ip service disable api-ssl
/ip service disable www
/ip service disable api
Restrict REST API Access
allLimit REST API access to trusted IP addresses only
/ip service set www-ssl disabled=no address=192.168.88.0/24
/ip service set api-ssl disabled=no address=192.168.88.0/24
🧯 If You Can't Patch
- Isolate affected routers in separate VLAN with strict firewall rules
- Implement network segmentation to limit lateral movement from compromised routers
🔍 How to Verify
Check if Vulnerable:
Check RouterOS version with '/system resource print'. If version is below 7.20.1 and not 7.21beta2, system is vulnerable.Check Version:
/system resource printVerify Fix Applied:
Verify version is 7.20.1 or higher with '/system resource print'. Test REST API functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual REST API requests to /rest/ip/address/print
- Router crash/reboot logs
- Unusual process creation in system logs
Network Indicators:
- Multiple malformed JSON requests to router REST API
- Unexpected outbound connections from router
SIEM Query:
source="routeros" AND (uri="/rest/ip/address/print" OR event="crash" OR event="reboot")🔗 References
- https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc
- https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc#technical-proof-of-concept
- https://vuldb.com/?ctiid.325818
- https://vuldb.com/?id.325818
- https://vuldb.com/?submit.652387
- https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc
