CVE-2017-20149

CRITICAL EXPLOITED IN THE WILD

Mikrotik RouterOS <6.38.5 - Long-term 6.37.5 - Memory Corruption

Title source: llm

Exploitation Summary

CVE-2017-20149 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 1 public exploit.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2017-20149, targeting MikroTik RouterOS versions 6.x < 6.38.5. The exploit leverages a memory corruption vulnerability in the www service to achieve remote code execution (RCE) via ROP chains, with support for x86 and MIPS architectures.

Description

The Mikrotik RouterOS web server allows memory corruption in releases before Stable 6.38.5 and Long-term 6.37.5, aka Chimay-Red. A remote and unauthenticated user can trigger the vulnerability by sending a crafted HTTP request. An attacker can use this vulnerability to execute arbitrary code on the affected system, as exploited in the wild in mid-2017 and later.

Exploits (1)

vulncheck_xdb WORKING POC

remote

https://github.com/seekintoo/Chimay-Red

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2017-20149, targeting MikroTik RouterOS versions 6.x < 6.38.5. The exploit leverages a memory corruption vulnerability in the www service to achieve remote code execution (RCE) via ROP chains, with support for x86 and MIPS architectures.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: MikroTik RouterOS (6.x < 6.38.5)

No auth needed

Prerequisites: Network access to the target device · Target running vulnerable RouterOS version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/BigNerd95/Chimay-Red

View Writeup ZIP pw:eip

Exploit, Third Party Advisory

https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/

Scores

CVSS v3 9.8

EPSS 0.0255

EPSS Percentile 83.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2018-03-28

InTheWild.io 2017-06-01

CWE

CWE-787

Status published

Products (2)

mikrotik/routeros < 6.37.5

mikrotik/routeros 6.38 - 6.38.5

Published Oct 15, 2022

Tracked Since Feb 18, 2026