Risk | Low |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2020-20214 CVE-2020-20222 CVE-2020-20236 CVE-2020-20237 |
CWE-ID | CWE-617 CWE-476 CWE-119 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
MikroTik RouterOS Hardware solutions / Routers & switches, VoIP, GSM, etc |
Vendor | MikroTik |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
Updated 01.06.2021
Added fixed version.
EUVDB-ID: #VU52987
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-20214
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion within the btest process. A remote authenticated user can send specially crafted packet to the system and trigger an assertion failure.
Install update from vendor's website.
Vulnerable software versionsMikroTik RouterOS: 6.40 - 6.48.2
CPE2.3http://seclists.org/fulldisclosure/2021/May/15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU52988
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-20222
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error within the sniffer process. A remote authenticated user can pass specially crafted data to the system and perform a denial of service (DoS) attack.
MitigationInstall update from vendor's website.
Vulnerable software versionsMikroTik RouterOS: 6.40 - 6.48.2
CPE2.3http://seclists.org/fulldisclosure/2021/May/15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU52989
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-20236
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the sniffer process. A remote authenticated user can pass specially crafted data to the system, trigger invalid memory access and crash the affected process.
Install update from vendor's website.
Vulnerable software versionsMikroTik RouterOS: 6.46.3 - 6.48.2
CPE2.3http://seclists.org/fulldisclosure/2021/May/15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU52990
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-20237
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the sniffer process. A remote authenticated user can pass specially crafted data to the system, trigger invalid memory access and crash the affected process.
Install update from vendor's website.
Vulnerable software versionsMikroTik RouterOS: 6.46.3 - 6.48.2
CPE2.3http://seclists.org/fulldisclosure/2021/May/15
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.