CRITICAL🇵🇱 Wersja polska

CVE-2025-61481

CVSS 10.0v3.1pub. 2025-10-27upd. 2026-04-15

An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials.

🤖 AI Analysis
How it works

The WebFig interface, used to manage MikroTik devices through a web browser, by default operates on the unencrypted HTTP protocol instead of HTTPS. An attacker positioned on the communication path (on-path attacker, e.g., on the same LAN or routing path) can intercept traffic in plaintext. The lack of encryption enables both passive eavesdropping of transmission (theft of login credentials) and active injection of malicious JavaScript code into the HTTP server response, which will then be executed in the authenticated administrator's browser.

Impact

An attacker can intercept administrator credentials of the MikroTik device and execute arbitrary JavaScript code in the administrator's browser (XSS), which in practice means the possibility of taking full control of the network device and potentially the entire managed infrastructure.

Mitigation & patch

Patches available from the manufacturer should be applied according to references. Until updates are deployed, it is recommended to: disable access to the WebFig interface over HTTP and enforce HTTPS (if available), restrict access to the management interface exclusively to trusted IP addresses using a firewall, and use alternative encrypted management methods (e.g., SSH, Winbox over VPN).

Who is affected

MikroTik RouterOS v.7.14.2 and MikroTik SwOS v.2.18 — devices with WebFig interface enabled by default and accessible over HTTP

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References