CVE-2023-30799

CRITICAL EXPLOITED IN THE WILD

MikroTik RouterOS < 6.48.7 and 6.34-6.49.7 - Authenticated Privilege Escalation via Winbox or HTTP Interface

Title source: llm

Exploitation Summary

CVE-2023-30799 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 2 public exploits from researchers including alzeer711.

AI-analyzed exploit summary The repository appears to be a writeup or documentation for an exploit kit targeting MikroTik RouterOS 6.49.18, specifically mentioning CVE-2023-30799. However, it lacks actual exploit code or technical details, only providing a summary in Arabic.

Description

MikroTik RouterOS stable before 6.49.7 and long-term through 6.48.6 are vulnerable to a privilege escalation issue. A remote and authenticated attacker can escalate privileges from admin to super-admin on the Winbox or HTTP interface. The attacker can abuse this vulnerability to execute arbitrary code on the system.

Exploits (2)

nomisec WRITEUP 1 stars

by alzeer711 · poc

https://github.com/alzeer711/MikroTik-RouterOS-6.49.18-Exploit-Kit

View Code ZIP pw:eip

The repository appears to be a writeup or documentation for an exploit kit targeting MikroTik RouterOS 6.49.18, specifically mentioning CVE-2023-30799. However, it lacks actual exploit code or technical details, only providing a summary in Arabic.

Classification

Writeup 30%

Attack Type

Other

Complexity

Theoretical

Reliability

Theoretical

Target: MikroTik RouterOS 6.49.18

No auth needed

Prerequisites: access to the full exploit kit

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

remote-auth

https://github.com/MarginResearch/FOISted

View Code ZIP pw:eip

FOISted is a post-authentication remote jailbreak exploit for MikroTik RouterOS versions 6.34 to 6.49.6, leveraging two vulnerabilities: a privilege escalation to bypass policy restrictions and a function pointer invocation in the FoisHandler to achieve remote code execution via a ROP chain.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: MikroTik RouterOS v6.34 to v6.49.6

Auth required

Prerequisites: admin credentials · x86 RouterOS device · FTP access for staging files

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 25, 2026 Full analysis →

References (2)

Core 2

Core References

Third Party Advisory third-party-advisory

https://vulncheck.com/advisories/mikrotik-foisted

Third Party Advisory exploit

https://github.com/MarginResearch/FOISted

Scores

CVSS v3 9.1

EPSS 0.0131

EPSS Percentile 66.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

VulnCheck KEV 2024-09-18

InTheWild.io 2024-09-18

CWE

CWE-269

Status published

Products (2)

mikrotik/routeros < 6.48.7

mikrotik/routeros 6.34 - 6.49.7

Published Jul 19, 2023

Tracked Since Feb 18, 2026