CVE-2025-61481
📋 TL;DR
MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default, allowing attackers on the same network path to inject malicious JavaScript into administrator sessions. This enables credential theft and potential full device compromise. All administrators using WebFig on affected versions are vulnerable.
💻 Affected Systems
- MikroTik RouterOS
- MikroTik SwOS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full administrative control of router/switch, intercepts all credentials, deploys persistent backdoors, and pivots to internal networks.
Likely Case
Administrator credentials are stolen during login sessions, leading to unauthorized access to network devices.
If Mitigated
With HTTPS enforcement and network segmentation, risk reduces to minimal even if JavaScript injection occurs.
🎯 Exploit Status
Exploitation requires on-path position but is straightforward once network access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: RouterOS >7.14.2, SwOS >2.18
Vendor Advisory: https://help.mikrotik.com/docs/spaces/ROS/pages/328131/WebFig
Restart Required: No
Instructions:
1. Log into RouterOS/SwOS via WinBox or CLI. 2. Check current version with '/system package update check'. 3. Update to latest version via '/system package update install'. 4. Verify WebFig now uses HTTPS.
🔧 Temporary Workarounds
Force HTTPS for WebFig
allConfigure WebFig to only use HTTPS and disable HTTP access
/ip service set www-ssl port=443 disabled=no
/ip service set www port=80 disabled=yes
Restrict WebFig Access
allLimit WebFig access to specific trusted IP addresses only
/ip firewall filter add chain=input protocol=tcp dst-port=80,443 src-address=TRUSTED_IP action=accept
/ip firewall filter add chain=input protocol=tcp dst-port=80,443 action=drop
🧯 If You Can't Patch
- Disable WebFig entirely and use WinBox or CLI for management
- Implement network segmentation to isolate management interfaces from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Access WebFig via HTTP (http://router-ip) - if accessible without redirect to HTTPS, device is vulnerable.Check Version:
/system resource printVerify Fix Applied:
Attempt HTTP access to WebFig - should redirect to HTTPS or be inaccessible. Verify HTTPS certificate is valid.📡 Detection & Monitoring
Log Indicators:
- Multiple failed HTTPS redirects
- HTTP access to WebFig from unusual IPs
- JavaScript errors in WebFig logs
Network Indicators:
- HTTP traffic to router management ports
- Unencrypted credential transmission
- Suspicious JavaScript payloads in HTTP traffic
SIEM Query:
source="router_logs" AND (http_request AND (dst_port=80 OR dst_port=443) AND NOT user_agent="health_check")