cbcvebase.
CVE-2025-10948
published 2025-09-25

CVE-2025-10948: A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.72%
49.2th percentile
A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component libjson.so. The manipulation leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.20.1 and 7.21beta2 mitigates this issue. You should upgrade the affected component. The vendor replied: "Our bug tracker reports that your issue has been fixed. This means that we plan to release a RouterOS update with this fix. Make sure to upgrade to the next release when it comes out."

Affected

1 ranges
VendorProductVersion rangeFixed in
mikrotikrouteros

Detection & IOCsextracted from sources · hover to see the quote

path/rest/ip/address/print
  • Attack targets HTTP POST requests to the exact URI /rest/ip/address/print (bsize:22) on MikroTik RouterOS REST API; match on this method+URI combination.
  • Exploit payload in the HTTP request body contains JSON key-value pairs where a value either includes a Unicode escape sequence (\u0\0) or an oversized string of 100+ consecutive non-delimiter characters, indicating a buffer overflow attempt in libjson.so's parse_json_element function.
  • The vulnerability is exploitable over plaintext HTTP (not TLS); detection should be applied at the network perimeter and internally.
  • Public PoC exploit is available; treat any matching traffic as high-confidence active exploitation (MITRE T1190 - Exploit Public-Facing Application).
  • ·Fixed versions are RouterOS 7.20.1 and 7.21beta2; devices not yet upgraded remain vulnerable to remote exploitation.
  • ·The vulnerable component is libjson.so and the affected function is parse_json_element; the attack surface is the RouterOS REST API endpoint, meaning any device with the REST API exposed (even internally) is at risk.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.