cbcvebase.
CVE-2021-27221
published 2021-03-19

CVE-2021-27221: MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position…

PriorityP355high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EXPLOIT
EPSS
4.49%
90.3th percentile
MikroTik RouterOS 6.47.9 allows remote authenticated ftp users to create or overwrite arbitrary .rsc files via the /export command. NOTE: the vendor's position is that this is intended behavior because of how user policies work

Affected

1 ranges
VendorProductVersion rangeFixed in
mikrotikrouteros

Detection & IOCsextracted from sources · hover to see the quote

command/export
otherhttp.title:"mikrotik routeros > administration"
othertitle="mikrotik routeros > administration"
otherintitle:"mikrotik routeros > administration"
otherServer: mikrotik httpproxy
  • Detect MikroTik RouterOS login/admin panel by matching body keywords indicating the administration page or hotspot login page.
  • Detect older MikroTik RouterOS admin panel variants by matching body strings such as 'mikrotik routeros > administration', 'Mikrotik Router', or 'MikroTik RouterOS Managing Webpage'.
  • Detect MikroTik Hotspot login panel by matching body strings for the hotspot service login page.
  • Detect MikroTik HTTP proxy by matching the 'Server: mikrotik httpproxy' response header.
  • Extract the RouterOS version from the response body using regex patterns to identify vulnerable versions (e.g., 6.47.9).
  • Monitor FTP sessions for authenticated users invoking the /export command, which can create or overwrite arbitrary .rsc files on the filesystem.
  • ·The vendor considers this behavior intentional, not a vulnerability, based on how user policies are designed in RouterOS.
  • ·Exploitation requires remote authenticated FTP access; unauthenticated exploitation is not possible for the /export command abuse.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
nvdv2.08.5HIGHAV:N/AC:L/Au:S/C:N/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.