CVE-2024-27686 Overview
CVE-2024-27686 is a denial-of-service vulnerability affecting MikroTik RouterOS (x86) versions 6.40.5 through 6.49.10. A remote, unauthenticated attacker can crash the device by sending crafted packet data to the Server Message Block (SMB) service on TCP port 445. The flaw is categorized under [CWE-400] Uncontrolled Resource Consumption. MikroTik addressed the issue in the RouterOS 7 release branch, leaving the entire 6.x line exposed when SMB is enabled. A public proof-of-concept is available on both GitHub and Exploit-DB, lowering the barrier for opportunistic exploitation against internet-facing routers.
Critical Impact
Unauthenticated remote attackers can crash RouterOS 6.x devices over the network, disrupting routing, VPN, and edge connectivity for downstream users.
Affected Products
- MikroTik RouterOS (x86) 6.40.5 through 6.49.10
- Devices running the RouterOS 6.x branch with the SMB service enabled
- Edge routers exposing TCP port 445 to untrusted networks
Discovery Timeline
- 2026-05-08 - CVE-2024-27686 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2024-27686
Vulnerability Analysis
The vulnerability resides in the SMB service implementation shipped with RouterOS 6.x. When the service receives malformed packet data on TCP port 445, the parsing logic fails to handle the input safely and the device crashes. Because the attack requires no authentication and no user interaction, any host able to reach the SMB port can trigger the condition. The result is a full denial of service: routing, firewall, VPN, and management traffic handled by the device drop until the router reboots or is manually recovered. Public exploit code published on GitHub and Exploit-DB automates the crash with a single network request.
Root Cause
The root cause is uncontrolled resource consumption inside the SMB packet handler. The service fails to validate fields in attacker-supplied SMB traffic before processing them, leading to a fatal error in the RouterOS process tree. MikroTik resolved the underlying SMB stack issues in RouterOS 7 and did not backport the fix to the 6.x branch.
Attack Vector
The attack vector is purely network-based. An attacker sends a single crafted SMB packet to TCP port 445 of a vulnerable RouterOS device. No credentials, prior access, or user interaction are required. Exposed devices, including those reachable through misconfigured firewall rules or directly on the WAN interface, can be crashed repeatedly to maintain an outage. Internet-wide scanners that identify open SMB on RouterOS banners can readily locate targets.
No verified code examples are available for this entry. Refer to the public proof-of-concept repository and Exploit-DB entry 51931 for technical details on the crash payload.
Detection Methods for CVE-2024-27686
Indicators of Compromise
- Unexpected reboots or watchdog-triggered restarts on RouterOS 6.x devices with SMB enabled
- Inbound TCP connections to port 445 from untrusted or geographically anomalous sources
- Repeated short-lived SMB sessions followed by loss of device availability
- RouterOS log entries showing SMB service termination immediately before a reboot
Detection Strategies
- Monitor RouterOS system logs and SNMP uptime counters for unexplained restarts correlated with inbound port 445 traffic.
- Inspect network flow records (NetFlow, sFlow, IPFIX) for SMB traffic destined to RouterOS management IPs.
- Deploy IDS/IPS signatures that flag malformed SMB negotiation packets targeting MikroTik devices.
- Run authenticated configuration audits to inventory devices still running RouterOS 6.x with /ip smb enabled.
Monitoring Recommendations
- Alert on any external source initiating connections to TCP/445 on edge router IP addresses.
- Track device uptime metrics centrally and trigger investigations when RouterOS uptime resets without a scheduled change.
- Correlate router availability outages with firewall logs to identify pre-crash traffic from a single source.
How to Mitigate CVE-2024-27686
Immediate Actions Required
- Disable the SMB service on RouterOS using /ip smb set enabled=no if it is not required.
- Block inbound TCP port 445 from untrusted networks at the perimeter and on the device input firewall chain.
- Inventory all MikroTik devices and prioritize upgrades for any running RouterOS 6.40.5 through 6.49.10.
- Restrict SMB access to trusted management subnets only using address-list-based firewall rules.
Patch Information
MikroTik fixed the issue in the RouterOS 7 branch. Operators running any version of RouterOS 6.x between 6.40.5 and 6.49.10 must migrate to RouterOS 7 to remediate the vulnerability. There is no patched 6.x release that addresses this flaw.
Workarounds
- Disable the SMB service entirely when file-sharing functionality is not in use.
- Add a firewall rule dropping traffic to TCP/445 on the input chain for all interfaces facing untrusted networks.
- Place RouterOS management and service interfaces behind a VPN or dedicated management VLAN.
- Use the RouterOS /ip firewall filter address-list feature to permit SMB only from explicit administrative hosts.
# Disable SMB and block port 445 on RouterOS
/ip smb set enabled=no
/ip firewall filter add chain=input protocol=tcp dst-port=445 action=drop comment="Block SMB - CVE-2024-27686"
/ip firewall filter move [find comment="Block SMB - CVE-2024-27686"] 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
