CVE-2019-15055
MEDIUMMikroTik RouterOS <= 6.44.5 and 6.45.x <= 6.45.3 - Authenticated Arbitrary File Deletion via Disk Name Handling
Title source: llmDescription
MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication.
References (5)
Core 5
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://mikrotik.com/download/changelogs/testing-release-tree
Third Party Advisory x_refsource_misc
https://fortiguard.com/zeroday/FG-VD-19-108
Press/Media Coverage, Third Party Advisory x_refsource_misc
https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90
Exploit, Third Party Advisory x_refsource_misc
https://github.com/tenable/routeros/tree/master/poc/cve_2019_15055
Various Sources x_refsource_confirm
https://forum.mikrotik.com/viewtopic.php?t=151603
Scores
CVSS v3
6.5
EPSS
0.0223
EPSS Percentile
80.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-22
Status
published
Products (1)
mikrotik/routeros
< 6.44.5
Published
Aug 26, 2019
Tracked Since
Feb 18, 2026