CVE-2020-5721

MEDIUM

MikroTik WinBox <3.22 - Info Disclosure

Title source: llm

Description

MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router.

References (1)

[Exploit, Third Party Advisory] https://www.tenable.com/security/research/tra-2020-23

Scores

CVSS v3 5.5

EPSS 0.0010

EPSS Percentile 27.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-260 CWE-522

Status published

Affected Products (1)

mikrotik/winbox < 3.22

Timeline

Published Apr 15, 2020

Tracked Since Feb 18, 2026