Volerion logoVolerion
Volerion logoVolerion

MikroTik RouterOS Username Enumeration Vulnerability

Vulnerability

A vulnerability in the Winbox service of MikroTik RouterOS has been identified, allowing for username enumeration on the router. This issue affects the long-term release versions 6.43.13 prior to 6.49.13 and the stable release versions 6.43 through 7.17.2. The vulnerability arises from a difference in response sizes when connection attempts are made with valid versus invalid usernames, enabling attackers to identify valid accounts. A patch for this vulnerability is available in the stable release 6.49.18.

Impact

Exploitation of this vulnerability allows for the enumeration of valid usernames on the affected MikroTik routers.

Reproduction

The vulnerability can be reproduced by sending connection attempts to the Winbox service with both valid and invalid usernames. The difference in response sizes can be used to determine which usernames are valid. This can be automated with a Python script that is available in the GitHub repository for this CVE.

Remediation

Users can update to MikroTik RouterOS stable release 6.49.18 or long-term release 7.18 to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
4.5
impact
0.6
exploitability
9.1
remediation
7.7
relevance
0.0
threat
6.4
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.