CVE-2019-15055

MEDIUM

MikroTik RouterOS <= 6.44.5 and 6.45.x <= 6.45.3 - Authenticated Arbitrary File Deletion via Disk Name Handling

Title source: llm
STIX 2.1

Description

MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication.

References (5)

Core 5
Core References
Release Notes, Vendor Advisory x_refsource_confirm
https://mikrotik.com/download/changelogs/testing-release-tree
Third Party Advisory x_refsource_misc
https://fortiguard.com/zeroday/FG-VD-19-108
Press/Media Coverage, Third Party Advisory x_refsource_misc
https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90
Exploit, Third Party Advisory x_refsource_misc
https://github.com/tenable/routeros/tree/master/poc/cve_2019_15055
Various Sources x_refsource_confirm
https://forum.mikrotik.com/viewtopic.php?t=151603

Scores

CVSS v3 6.5
EPSS 0.0223
EPSS Percentile 80.6%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-22
Status published
Products (1)
mikrotik/routeros < 6.44.5
Published Aug 26, 2019
Tracked Since Feb 18, 2026