CVE-2023-30800

HIGH

Mikrotik Routeros < 6.49.10 - Out-of-Bounds Write

Title source: rule

Description

The web server used by MikroTik RouterOS version 6 is affected by a heap memory corruption issue. A remote and unauthenticated attacker can corrupt the server's heap memory by sending a crafted HTTP request. As a result, the web interface crashes and is immediately restarted. The issue was fixed in RouterOS 6.49.10 stable. RouterOS version 7 is not affected.

Exploits (3)

nomisec WORKING POC 1 stars

by diemaxxing · poc

https://github.com/diemaxxing/cve-2023-30800-multithread-doser

View Code ZIP pw:eip

nomisec WORKING POC

by griffinsectio · poc

https://github.com/griffinsectio/CVE-2023-30800_PoC_go

View Code ZIP pw:eip

nomisec WORKING POC

by griffinsectio · poc

https://github.com/griffinsectio/CVE-2023-30800_PoC

View Code ZIP pw:eip

References (1)

Core 1

Core References

Exploit, Third Party Advisory

https://vulncheck.com/advisories/mikrotik-jsproxy-dos

Scores

CVSS v3 7.5

EPSS 0.0454

EPSS Percentile 89.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-787

Status published

Products (1)

mikrotik/routeros 6.0 - 6.49.10

Published Sep 07, 2023

Tracked Since Feb 18, 2026