{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/routeros/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-7668"}],"_cs_exploited":false,"_cs_products":["RouterOS (6.49.8)"],"_cs_severities":["medium"],"_cs_tags":["cve","out-of-bounds read","routeros"],"_cs_type":"advisory","_cs_vendors":["MikroTik"],"content_html":"\u003cp\u003eCVE-2026-7668 is an out-of-bounds read vulnerability affecting MikroTik RouterOS version 6.49.8. The vulnerability exists within the SCEP (Simple Certificate Enrollment Protocol) endpoint, specifically in the \u003ccode\u003eASN1_STRING_data\u003c/code\u003e function located in the \u003ccode\u003enova/lib/www/scep.p\u003c/code\u003e library. A remote attacker can exploit this vulnerability by manipulating the \u003ccode\u003etransactionID\u003c/code\u003e or \u003ccode\u003emessageType\u003c/code\u003e arguments. Publicly available exploits exist, increasing the risk of exploitation. The vendor has been notified but has not provided a response. Exploitation could lead to denial of service or information disclosure.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a MikroTik RouterOS device running version 6.49.8 with an exposed SCEP endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SCEP request containing a specially crafted \u003ccode\u003etransactionID\u003c/code\u003e or \u003ccode\u003emessageType\u003c/code\u003e argument.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious SCEP request to the RouterOS device\u0026rsquo;s SCEP endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eASN1_STRING_data\u003c/code\u003e function processes the request and attempts to access memory outside the allocated buffer due to the manipulated argument.\u003c/li\u003e\n\u003cli\u003eThe out-of-bounds read occurs, potentially leading to a crash of the SCEP process or the disclosure of sensitive information from adjacent memory regions.\u003c/li\u003e\n\u003cli\u003eIf the attacker can reliably trigger a crash, they can cause a denial of service.\u003c/li\u003e\n\u003cli\u003eIf sensitive information is disclosed, the attacker might use this to further compromise the device or network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7668 can lead to a denial of service condition on the affected MikroTik RouterOS device. An attacker could potentially cause the device to become unresponsive, disrupting network services. Furthermore, the out-of-bounds read could expose sensitive information stored in memory, which an attacker could use to further compromise the device or network. Since an exploit is publicly available, the risk of widespread exploitation is elevated.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor network traffic for SCEP requests with unusually long or malformed \u003ccode\u003etransactionID\u003c/code\u003e or \u003ccode\u003emessageType\u003c/code\u003e parameters. Use the network connection rule below.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the SCEP endpoint to mitigate potential denial-of-service attacks.\u003c/li\u003e\n\u003cli\u003eWhile no patch is available, consider disabling the SCEP endpoint if it is not required.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T14:00:00Z","date_published":"2024-01-02T14:00:00Z","id":"/briefs/2024-01-routeros-oob-read/","summary":"MikroTik RouterOS 6.49.8 is vulnerable to an out-of-bounds read in the SCEP endpoint component, triggered by remote manipulation of the transactionID/messageType argument, potentially leading to denial of service or information disclosure.","title":"MikroTik RouterOS SCEP Endpoint Out-of-Bounds Read Vulnerability (CVE-2026-7668)","url":"https://feed.craftedsignal.io/briefs/2024-01-routeros-oob-read/"}],"language":"en","title":"CraftedSignal Threat Feed — Routeros","version":"https://jsonfeed.org/version/1.1"}