cbcvebase.
CVE-2017-7285
published 2017-03-29

CVE-2017-7285: A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remote attacker to exhaust all available CPU…

PriorityP265high7.5CVSS 3.0
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
19.34%
97.0th percentile
A vulnerability in the network stack of MikroTik Version 6.38.5 released 2017-03-09 could allow an unauthenticated remote attacker to exhaust all available CPU via a flood of TCP RST packets, preventing the affected router from accepting new TCP connections.

Affected

1 ranges
VendorProductVersion rangeFixed in
mikrotikrouteros

Detection & IOCsextracted from sources · hover to see the quote

versionMikroTik RouterOS 6.38.5
commandTCP RST flood using raw socket (tcp_rst=1, seq=19456, tcp_win=124, tcp_urg_ptr=44, ip_frag_id=19245, ip_ttl=25)
  • Detect a flood of TCP RST packets from a single source targeting a MikroTik device; high-rate RST-only packets (RST flag set, no SYN/ACK/FIN) with a fixed sequence number (19456) and window size (124) are characteristic of this exploit.
  • Monitor CPU utilization on MikroTik RouterOS 6.38.5 devices; sustained 100% CPU with simultaneous inability to accept new TCP connections is the primary symptom of exploitation.
  • ·The vulnerability is specific to MikroTik RouterOS version 6.38.5 (released 2017-03-09); other versions are not confirmed affected by this CVE.
  • ·The attack requires no authentication; any unauthenticated remote attacker with network access to the router can trigger the DoS, making perimeter ACLs blocking unsolicited RST floods the primary mitigation.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.07.8HIGHAV:N/AC:L/Au:N/C:N/I:N/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.