Back to KEVs

CVE-2018-14847

MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write...

Basic Information

CVE State: PUBLISHED
Reserved Date: August 02, 2018
Published Date: August 02, 2018
Last Updated: February 04, 2025
Vendor: n/a
Product: n/a
Description: MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

CVSS Scores

SSVC Information

Exploitation: active
Automatable: Yes
Technical Impact: total

Exploit Status

Exploited in the Wild: Yes (added 2021-12-01 00:00:00 UTC) Source
Proof of Concept Available: Yes (added 2025-04-16 18:37:08 UTC) Source

References

https://www.exploit-db.com/exploits/45578/ https://github.com/BigNerd95/WinboxExploit https://github.com/tenable/routeros/blob/master/bug_hunting_in_routeros_derbycon_2018.pdf https://github.com/BasuCert/WinboxPoC https://github.com/tenable/routeros/tree/master/poc/cve_2018_14847 https://n0p.me/winbox-bug-dissection/ https://github.com/tenable/routeros/tree/master/poc/bytheway

Known Exploited Vulnerability Information

Source	Added Date
CISA	2021-12-01 00:00:00 UTC

Potential Proof of Concepts

Warning: These PoCs have not been tested and could contain malware. Use at your own risk.

tausifzaman/CVE-2018-14847

Type: github • Created: 2025-04-16 18:37:08 UTC • Stars: 0

This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords. The vulnerability has long since been fixed, so this project has ended and will not be supported or updated anymore. You can fork it and update it yourself instead.

K3ysTr0K3R/CVE-2018-14847-EXPLOIT

Type: github • Created: 2024-04-22 22:33:25 UTC • Stars: 2

A PoC exploit for CVE-2018-14847 - MikroTik WinBox File Read

babyshen/routeros-CVE-2018-14847-bytheway

Type: github • Created: 2022-10-31 06:38:11 UTC • Stars: 4

By the Way is an exploit that enables a root shell on Mikrotik devices running RouterOS versions:

yukar1z0e/CVE-2018-14847

Type: github • Created: 2020-04-29 01:40:33 UTC • Stars: 1

jas502n/CVE-2018-14847

Type: github • Created: 2018-12-15 10:38:26 UTC • Stars: 27

MikroTik RouterOS Winbox未经身份验证的任意文件读/写漏洞