CVE-2021-27221
published 2021-03-19CVE-2021-27221: MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position…
PriorityP355high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EXPLOIT
EPSS
4.49%
90.3th percentile
MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mikrotik | routeros | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherhttp.title:"mikrotik routeros > administration"
othertitle="mikrotik routeros > administration"
otherintitle:"mikrotik routeros > administration"
otherServer: mikrotik httpproxy
- →Detect MikroTik RouterOS login/admin panel by matching body keywords indicating the administration page or hotspot login page.
- →Detect older MikroTik RouterOS admin panel variants by matching body strings such as 'mikrotik routeros > administration', 'Mikrotik Router', or 'MikroTik RouterOS Managing Webpage'.
- →Detect MikroTik Hotspot login panel by matching body strings for the hotspot service login page.
- →Detect MikroTik HTTP proxy by matching the 'Server: mikrotik httpproxy' response header.
- →Extract the RouterOS version from the response body using regex patterns to identify vulnerable versions (e.g., 6.47.9).
- →Monitor FTP sessions for authenticated users invoking the /export command, which can create or overwrite arbitrary .rsc files on the filesystem. ↗
- ·The vendor considers this behavior intentional, not a vulnerability, based on how user policies are designed in RouterOS. ↗
- ·Exploitation requires remote authenticated FTP access; unauthenticated exploitation is not possible for the /export command abuse. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:L/Au:S/C:N/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
MikroTik Router OS Login Panel - Detect
nuclei
CVE-2021-27221 MikroTik Router OS Login Panel - Detect
MikroTik Router OS Login Panel - Detect
MikroTik Router OS login panel was detected.
Template:
id: mikrotik-routeros
info:
name: MikroTik Router OS Login Panel - Detect
author: gy741
severity: info
description: MikroTik Router OS login panel was detected.
reference:
- https://systemweakness.com/routeros-user-with-just-ftp-policy-can-write-to-filesystem-cve-2021-27221-e3e45d780dfe
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
cwe-id: CWE-200
cpe: cpe:2.3:o:mikrotik:routeros:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: mikrotik
product: routeros
shodan-query: http.title:"mikrotik routeros > administration"
fofa-query: title="mikrotik routeros > administration"
google-query: intitle:"mikrotik routeros > administration"
tags: panel,login,mikrotik,discovery
No writeups or analysis indexed.
2021-03-19
Published