Vulnerability CVE-2019-15055
Published: 2019-08-26

Description:
MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication.

Type:

CWE-20

 (Improper Input Validation)

CVSS2 => (AV:N/AC:L/Au:S/C:N/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5.5/10
4.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
None
Partial
Partial
Affected software
Mikrotik -> Routeros 

 References:
https://fortiguard.com/zeroday/FG-VD-19-108
https://github.com/tenable/routeros/tree/master/poc/cve_2019_15055
https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90
https://mikrotik.com/download/changelogs/testing-release-tree
Copyright 2024, cxsecurity.com

 

Back to Top