Critical MikroTik Flaw (CVE-2025-61481, CVSS 10.0) Exposes Router Admin Credentials Over Unencrypted HTTP WebFig

A newly disclosed vulnerability, CVE-2025-61481, rated a maximum CVSS score of 10.0, affects MikroTik RouterOS (v7.14.2) and SwitchOS (v2.18) and allows remote attackers to execute arbitrary code or intercept credentials via the WebFig management interface, which operates without HTTPS protection by default.

According to the report, “MikroTik RouterOS through version 7.14.2 and SwOS through version 2.18 initialize the WebFig management interface with HTTP enabled by default and without automatic redirection to HTTPS.”

The issue was discovered by security researcher Oliver Bölin, who demonstrated that after a factory reset, affected devices—including popular models such as the CRS326-24G-2S+—serve their entire management UI, including the login page, over cleartext HTTP, leaving sensitive data visible to anyone monitoring the network.

During authentication, the browser-side JavaScript of the WebFig interface stores credentials in window.sessionStorage and transmits them unencrypted over port 80, enabling man-in-the-middle (MitM) attacks on the local network.

As described in the report, “Packet capture confirms that management traffic and credentials are fully visible and modifiable in transit.”

This means any on-path attacker—such as one connected to the same Wi-Fi network or switch segment—can intercept, replay, or even tamper with the session. Once the attacker obtains admin credentials, they can alter routing tables, modify firewall rules, or implant persistent scripts for remote code execution.

The vulnerability affects MikroTik RouterOS 7.14.2 (stable channel) and SwOS 2.18, with a strong likelihood that other models using the same WebFig component are also impacted.

Trend analysis suggests the vulnerability could expose thousands of MikroTik devices deployed in SMB and ISP environments, where WebFig is frequently enabled for local configuration. Because these interfaces are HTTP-only by default, administrators may be unaware that their sessions lack encryption.

The report warns, “This insecure default configuration exposes administrators to credential theft and session tampering via simple man-in-the-middle attacks on the local network.”

If exploited, an attacker could not only harvest credentials but also inject malicious configurations or firmware, potentially pivoting to internal systems or deploying botnet agents—similar to previous MikroTik exploitation waves such as Manga, Meris, and Trickbot’s router-based modules.

To exploit CVE-2025-61481, an attacker must have network-level access—for instance, by connecting to the same LAN segment or wireless network as the targeted device. No prior authentication is required to capture credentials during the administrator’s login process.

As the advisory explains, “An attacker must have network-level access capable of intercepting or modifying HTTP traffic between the administrator’s browser and the device.”

The researcher recommends:

• Restrict WebFig access to trusted VLANs or management networks only.
• Manually enable HTTPS within the WebFig configuration page.
• Use encrypted alternatives such as SSH or VPN tunnels for device management.
• Disable HTTP access entirely where possible.

Related Posts:

• 200,000 MikroTik Routers hijacked for cryptocurrency mining
• 13,000 MikroTik Routers Hijacked for Global Malspam Operation
• Security experts found MikroTik RouterOS SMB Buffer Overflow flaw
• CISA Warns of F5 BIG-IP Cookie Exploitation
• Researchers Disclose MikroTik RouterOS Security Flaw, Putting Hundreds of Thousands of Devices at Risk