CVE-2019-3977
HIGH IN THE WILDMikroTik RouterOS < 6.44.5 and < 6.45.6 - Unauthenticated Arbitrary Code Download via Autoupgrade Feature
Title source: llmExploitation Summary
CVE-2019-3977 has been observed exploited in the wild (reported by InTheWild.io).
Description
RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into "upgrading" to an older version of RouterOS and possibly reseting all the system's usernames and passwords.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2019-46
Scores
CVSS v3
7.5
EPSS
0.0106
EPSS Percentile
60.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
InTheWild.io
2021-12-10
CWE
CWE-494
Status
published
Products (2)
mikrotik/routeros
< 6.44.5
mikrotik/routeros
< 6.45.6
Published
Oct 29, 2019
Tracked Since
Feb 18, 2026