CVE-2017-6297
MEDIUMMikroTik RouterOS 6.83.3 and 6.37.4 - Missing Encryption of Sensitive Data in L2TP Client
Title source: llmDescription
The L2TP Client in MikroTik RouterOS versions 6.83.3 and 6.37.4 does not enable IPsec encryption after a reboot, which allows man-in-the-middle attackers to view transmitted data unencrypted and gain access to networks on the L2TP server by monitoring the packets for the transmitted data and obtaining the L2TP secret.
References (2)
Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.milne.it/2017/02/24/mikrotik-routeros-security-vulnerability-l2tp-tunnel-unencrypted-cve-2017-6297/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/96447
Scores
CVSS v3
5.9
EPSS
0.0074
EPSS Percentile
49.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-311
Status
published
Products (2)
mikrotik/routeros
6.37.4
mikrotik/routeros
6.83.3
Published
Feb 27, 2017
Tracked Since
Feb 18, 2026