CVE-2019-3977

HIGH IN THE WILD

Mikrotik Routeros < 6.44.5 - Download Without Integrity Check

Title source: rule

Description

RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below insufficiently validate where upgrade packages are download from when using the autoupgrade feature. Therefore, a remote attacker can trick the router into "upgrading" to an older version of RouterOS and possibly reseting all the system's usernames and passwords.

References (1)

[Third Party Advisory] https://www.tenable.com/security/research/tra-2019-46

Scores

CVSS v3 7.5

EPSS 0.0086

EPSS Percentile 75.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

InTheWild.io 2021-12-10

CWE

CWE-494

Status published

Products (2)

mikrotik/routeros < 6.44.5

mikrotik/routeros < 6.45.6

Published Oct 29, 2019

Tracked Since Feb 18, 2026