CVE-2023-30799: MikroTik RouterOS Privilege Escalation

CVE-2023-30799 Overview

CVE-2023-30799 is a privilege escalation vulnerability in MikroTik RouterOS. Affected versions include stable releases before 6.49.7 and long-term releases through 6.48.6. A remote authenticated attacker with admin credentials can elevate to super-admin through the Winbox or HTTP management interfaces. Once elevated, the attacker can execute arbitrary code on the underlying system. The flaw is classified under [CWE-269] Improper Privilege Management. Public proof-of-concept code is published under the FOISted research project, increasing the likelihood of exploitation against exposed devices.

Critical Impact

Authenticated attackers can escalate from admin to super-admin on Winbox or HTTP interfaces and execute arbitrary code on RouterOS devices.

Affected Products

• MikroTik RouterOS stable versions before 6.49.7
• MikroTik RouterOS long-term versions through 6.48.6
• Devices exposing Winbox or HTTP administrative interfaces

Discovery Timeline

• 2023-07-19 - CVE-2023-30799 published to NVD
• 2025-11-21 - Last updated in NVD database

Technical Details for CVE-2023-30799

Vulnerability Analysis

The vulnerability allows a user holding the default admin role to obtain super-admin privileges through the Winbox protocol or the HTTP administrative interface. RouterOS exposes administrative functionality via these channels, and the privilege boundary between admin and super-admin is not correctly enforced. Once an attacker reaches super-admin context, RouterOS permits operations that lead to arbitrary code execution on the device. This converts a standard administrative account compromise into full control of the router. Because RouterOS devices commonly act as edge gateways, this control extends to the surrounding network segments.

Root Cause

The root cause is improper privilege management ([CWE-269]) in the authorization logic of the Winbox and HTTP interfaces. RouterOS does not adequately separate the capabilities exposed to admin versus super-admin sessions during certain operations. The defect allows a logged-in admin user to invoke functionality reserved for super-admin and to influence system-level behavior. The flaw is described in detail in the VulnCheck Security Advisory.

Attack Vector

Exploitation requires network access to a RouterOS device with the Winbox service (TCP 8291) or the HTTP/HTTPS administrative interface reachable. The attacker must already hold valid admin credentials. RouterOS ships with a default admin account that historically had no password on older versions, and credential reuse or weak passwords remain common findings. After authenticating, the attacker issues crafted requests that exercise the privilege escalation path and then leverage super-admin to load code. The proof-of-concept released under the FOISted PoC repository demonstrates this chain.

No verified exploitation code is reproduced here. Refer to the FOISted repository and VulnCheck advisory for technical specifics of the exploit chain.

Detection Methods for CVE-2023-30799

Indicators of Compromise

• Unexpected authenticated sessions to Winbox (TCP 8291) or the HTTP/HTTPS admin interface from unfamiliar source addresses.
• Creation of new RouterOS user accounts, scheduler entries, or scripts shortly after an admin login.
• Modifications to the /system scheduler, /system script, or /file trees that were not made by authorized operators.
• Outbound connections initiated by the router to attacker-controlled infrastructure following an admin login.

Detection Strategies

• Forward RouterOS logs to a central SIEM and alert on logins to Winbox or WebFig from non-management subnets.
• Baseline the set of accounts, scripts, and scheduled jobs on each router and alert on deviations.
• Inspect network telemetry for Winbox traffic crossing trust boundaries where it is not expected.
• Monitor for repeated failed authentication attempts preceding successful admin logins, indicating credential brute force.

Monitoring Recommendations

• Enable RouterOS logging with the info topic for system, account, and critical events and ship logs off-device.
• Track firmware version inventory across all MikroTik devices and flag any device running below 6.49.7 or 6.48.7.
• Audit the membership of the full group and any custom groups granting policy password, sensitive, or romon.

How to Mitigate CVE-2023-30799

Immediate Actions Required

• Upgrade RouterOS stable to 6.49.7 or later, and long-term to 6.48.7 or later.
• Rotate all admin and other privileged RouterOS account passwords immediately after patching.
• Restrict Winbox (8291), HTTP (80), and HTTPS (443) access to dedicated management networks using the /ip service address list.
• Remove or disable any unused administrative accounts and enforce strong, unique passwords on remaining accounts.

Patch Information

MikroTik addresses CVE-2023-30799 in RouterOS 6.49.7 (stable) and 6.48.7 (long-term). Apply the update through the standard /system package update workflow or by uploading the signed NPK package and rebooting. Confirm the running version with /system resource print after reboot. Additional context is available in the VulnCheck Security Advisory.

Workarounds

• Disable the Winbox and WebFig services on internet-facing interfaces using /ip service disable winbox,www,www-ssl where remote management is not required.
• Bind administrative services to a management VLAN only and enforce ingress filtering on the WAN interface.
• Replace the default admin username with a non-default account and remove the original admin user.
• Require SSH key authentication for any remaining remote administration and disable password-based SSH where feasible.

# Restrict administrative services to a management subnet and disable web access
/ip service set winbox address=192.0.2.0/24
/ip service disable www,www-ssl,telnet,ftp,api
/user set admin password="<strong-rotated-password>"