CVE-2019-3978

HIGH IN THE WILD

MikroTik RouterOS < 6.44.5 and < 6.45.6 - Unauthenticated DNS Cache Poisoning via Port 8291

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-3978 has been observed exploited in the wild (reported by InTheWild.io). EIP tracks 1 public exploit from researchers including Jacob Baines.

AI-analyzed exploit summary This PoC exploits CVE-2019-3978, a DNS cache poisoning vulnerability in MikroTik RouterOS. It sends unauthenticated DNS requests via Winbox port 8291, allowing an attacker to poison the DNS cache of the router.

Description

RouterOS versions 6.45.6 Stable, 6.44.5 Long-term, and below allow remote unauthenticated attackers to trigger DNS queries via port 8291. The queries are sent from the router to a server of the attacker's choice. The DNS responses are cached by the router, potentially resulting in cache poisoning

Exploits (1)

exploitdb WORKING POC
by Jacob Baines · c++remotehardware
https://www.exploit-db.com/exploits/47566

This PoC exploits CVE-2019-3978, a DNS cache poisoning vulnerability in MikroTik RouterOS. It sends unauthenticated DNS requests via Winbox port 8291, allowing an attacker to poison the DNS cache of the router.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: MikroTik RouterOS 6.45.6 Stable (and below) or 6.44.5 Long-term (and below)
No auth needed
Prerequisites: Network access to the target router's Winbox port (8291) · A DNS server under attacker control to respond to the DNS requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.1024
EPSS Percentile 93.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

InTheWild.io 2021-12-10
CWE
CWE-306
Status published
Products (2)
mikrotik/routeros < 6.44.5
mikrotik/routeros < 6.45.6
Published Oct 29, 2019
Tracked Since Feb 18, 2026