Mikrotik RouterOS Botnet Vulnerability Found

MikroTik CRS226-24G-2S-RM Racked
MikroTik CRS226-24G-2S-RM Racked

At STH, we review and use a fair number of MikroTik products. MikroTik is a Latvian based maker of some interesting SMB networking solutions. Recently, Radware showed that there is a worm impacting MikroTik RouterOS devices that appears to be spreading rapidly. The worm infects devices and creates a Botnet of RouterOS devices.

The MikroTik RouterOS Botnet Worm

The worm is targeting RouterOS devices via two primary methods after scanning for port 8291 which is primarily used by MikroTik devices. First, scanning for known vulnerabilities that are unpatched. Second, using brute force password attacks. These are particularly troublesome in the RouterOS scenario as many of these devices are connected to the Internet as routers. Also, many SMB service providers install them at customer sites. These customer site installations are not always patched immediately meaning that old vulnerabilities are often present.

From Radware on this issue:

“Preliminary analysis suggests that the botnet is exploiting known Mikrotik vulnerabilities (HTTP, SMB) as well as password brute-forcing. The worm has a highly efficient propagation mechanism by aggressively scanning for port 8291 in order to identify publicly available Mikrotik devices and using the password cracking capabilities to infect neighbor devices.”

Here is a link to the vulnerability and more details described by Radware.

This is a big deal since MikroTik also makes low cost, high throughput routers that implement features like BGP for smaller service providers. An example of that is the Cloud Core Router pictured in the cover image for this article. These routers are often connected to data center WAN uplinks. That practically means that if these routers are compromised, they can be used to launch DDoS attacks both from SMB network endpoints but also from data center WAN connections magnifying the pps and bandwidth capabilities of each endpoint. Whereas an IP camera vulnerability on a 11mbps WiFi uplink can be dangerous in quantity, a 72 core router with a 10Gbps uplink (or two) can sustain a higher DDoS rate as a botnet endpoint.

STH MikroTik Reviews

Here are a few of our MikroTik reviews which shows why they are popular in some segments of STH’s reader base.

We also have a review of the MikroTik CRS317-1G-16S+RM in the pipeline. Expect that one to come out soon. Newer firmware has gotten it to the point Patrick feels comfortable with us publishing a review.

Discuss this article and the vulnerability in the STH forums.


  1. Yeah, if I know Mikrotik it’ll take some time to release a fix..
    ..or is that just for new feature requests? OpenVPN UDP support has been requested by hundreds of people for what.. about eight years now? It’s why I gave up on their hardware.
    It might be cheap, but so’s the support.

  2. The issue was fixed in RouterOS v6.38.4/v6.41.3 very quickly after disclosure. Companies that don’t have standard operating procedure to patch critical equipment when vulnerabilities are addressed need better standard operating procedures.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.