CVE Vulnerability

CVE-2019-15055

MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication.

5.5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

Scope

6.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://mikrotik.com/download/changelogs/testing-release-tree Release Notes Vendor Advisory
https://fortiguard.com/zeroday/FG-VD-19-108 Third Party Advisory
https://github.com/tenable/routeros/tree/master/poc/cve_2019_15055 Exploit Third Party Advisory
https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90 Press/Media Coverage Third Party Advisory
https://forum.mikrotik.com/viewtopic.php?t=151603
Configurations

Configuration 1

cpe:2.3:o:mikrotik:routeros:*:*:*:*:*:*:*:*
cpe:2.3:o:mikrotik:routeros:*:*:*:*:*:*:*:*
Information

Published : 2019-08-26 09:15

Updated : 2020-10-06 12:15

NVD link : CVE-2019-15055

Mitre link : CVE-2019-15055

Products Affected
No products.
CWE
CWE-22