CVE-2022-45313: Mikrotik RouterOs flaw can lead to execute arbitrary code

A vulnerability exists in MikroTik’s RouterOS in versions prior to stable v7.5, released on August 31, 2018. Details were published on November 11 and disclosed by Github user cq674350529.

RouterOS is a stand-alone operating system based on the Linux kernel. It powers MikroTik hardware devices but is also available for virtual machines.

The vulnerability, identified as CVE-2022-45313, was caused by a lack of proper validation that allows attackers to remotely execute code on affected devices.

A cybersecurity researcher has released a new proof-of-concept (PoC) RCE attack for an out-of-bounds read in the hotspot process that was found and patched in RouterOS version 7.5.

“The hotspot process suffers from an out-of-bounds read vulnerability. Due to lack of proper validation, by sending a crafted nova message with a specific u32_id key with negative value, it’s possible to cause out-of-bounds read, which may affect the function pointer of an indirect call furtherly. It’s possible for an authenticated user to achieve code execution,” the researcher wrote.

CVE-2022-45313 was initially found in Mikrotik RouterOS firmware long-term version 6.44.6. The researcher reported the bug to MikroTik on July 29, and the company addressed the vulnerabilities by releasing its RouterOS version 7.5 in August.

With the proof-of-concept (PoC) exploit now made public, it is important for all MikroTik users to upgrade to the latest version.