Denial of service in MikroTik RouterOS

Published: 2020-09-15 | Updated: 2020-09-21
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2020-11881
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
MikroTik RouterOS
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor MikroTik

Security Bulletin

This security bulletin contains information about 1 vulnerabilities.

Updated 21.09.2020

Added fixed version.

1) Improper Validation of Array Index

EUVDB-ID: #VU46736

Risk: Medium


CVE-ID: CVE-2020-11881

CWE-ID: CWE-129 - Improper Validation of Array Index

Exploit availability: Yes


The vulnerability allows a remote attacker to perform denial of service attack.

The vulnerability exists due to improper validation of array index when processing setup-requests in a built-in SMB server. A remote non-authenticated attacker can send specially crafted setup-request packets and crash the SMB server.


Install updates from vendor's website.

Vulnerable software versions

MikroTik RouterOS: 6.41.3 - 6.47.3

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?