Description
MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://www.tenable.com/security/research/tra-2020-23
Scores
CVSS v3
5.5
EPSS
0.0037
EPSS Percentile
28.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-260
CWE-522
Status
published
Products (1)
mikrotik/winbox
< 3.22
Published
Apr 15, 2020
Tracked Since
Feb 18, 2026