cbcvebase.
CVE-2018-14847
published 2018-08-02

CVE-2018-14847: MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due…

PriorityP197critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-06-01
Exploited in the wild
EPSS
96.09%
99.9th percentile
MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

Affected

1 ranges
VendorProductVersion rangeFixed in
mikrotikrouteros<= 6.42

Detection & IOCsextracted from sources · hover to see the quote

port8291
path/rw/disk
port63914
path/db_key
path/cli_key
command//./.././.././../pckg/lol
  • Detect CVE-2018-14847 exploitation by monitoring WinBox (TCP/8291) traffic for directory traversal path patterns containing repeated '../' sequences targeting files outside /rw/disk, particularly attempts to read credential files.
  • Monitor for Winbox protocol messages using SYS_TO command 7 (unauthenticated) or command 1 (file open for write) with path traversal strings — these are the specific commands exploited in CVE-2018-14847.
  • Hunt for VPNFilter-related MikroTik exploitation by decoding the Winbox binary protocol on TCP/8291 and looking for traversal path strings such as '//./.././.././../' in message field s1.
  • Detect Glupteba router exploitation activity by monitoring for outbound connections from MikroTik routers to nxtfdata[.]xyz and for SOCKS proxy configuration changes on compromised routers.
  • Detect VPNFilter htpx module on compromised routers by looking for iptables rules redirecting TCP/80 to port 8888 and the presence of the /var/run/htpx.pid file.
  • Detect VPNFilter ndbr SSH backdoor module by monitoring for unexpected SSH listener on TCP/63914 and presence of key files /db_key and /cli_key on MikroTik devices.
  • Flag HTTP requests with User-Agent 'curl53' as a VPNFilter htpx C2 beacon indicator.
  • ·CVE-2018-14847 was patched by MikroTik in April 2018; however, as of October 2018 nearly 70% of fingerprinted routers remained unpatched. Detections should prioritize RouterOS versions through 6.42.
  • ·The traversal vulnerability is exploitable both unauthenticated (command 7, read) and authenticated (command 1, write) over the WinBox protocol; detection rules must cover both read and write exploitation paths.
  • ·The related CVE-2019-3943 (fileman binary, SYS_TO 72) uses the same traversal logic as CVE-2018-14847 but requires authentication and is reachable over both HTTP and Winbox (8291); detections for path traversal patterns apply to both CVEs.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.