CVE-2025-10948: MikroTik RouterOS Buffer Overflow Flaw

CVE-2025-10948 Overview

A buffer overflow vulnerability has been identified in MikroTik RouterOS 7 affecting the parse_json_element function within the libjson.so component. The vulnerability is triggered through the /rest/ip/address/print REST API endpoint, allowing remote attackers with low-level privileges to potentially achieve code execution or cause system instability through specially crafted JSON input.

Critical Impact

Remote attackers can exploit this buffer overflow vulnerability over the network to compromise MikroTik routers running vulnerable versions of RouterOS 7, potentially leading to complete device takeover, network infrastructure compromise, and lateral movement within affected environments.

Affected Products

• MikroTik RouterOS 7 (versions prior to 7.20.1)
• MikroTik RouterOS 7.21beta versions (prior to 7.21beta2)
• Network devices running the affected libjson.so component

Discovery Timeline

• September 25, 2025 - CVE-2025-10948 published to NVD
• October 13, 2025 - Last updated in NVD database

Technical Details for CVE-2025-10948

Vulnerability Analysis

This vulnerability is classified as CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), a memory corruption flaw that occurs when the parse_json_element function in libjson.so fails to properly validate input boundaries. The vulnerability exists in the JSON parsing logic that processes REST API requests to the /rest/ip/address/print endpoint.

When a malformed or oversized JSON payload is submitted to the affected endpoint, the parser does not properly enforce buffer size limitations, allowing data to be written beyond allocated memory boundaries. This can result in memory corruption, which may lead to arbitrary code execution, denial of service, or disclosure of sensitive memory contents.

The attack can be executed remotely over the network and requires only low-level authentication, making it particularly dangerous for internet-exposed MikroTik devices.

Root Cause

The root cause of CVE-2025-10948 lies in insufficient bounds checking within the parse_json_element function of the libjson.so shared library. When processing JSON elements, the function fails to validate that incoming data fits within the allocated buffer space before writing, creating a classic buffer overflow condition. This implementation flaw allows attackers to supply malicious input that exceeds expected buffer sizes, corrupting adjacent memory regions.

Attack Vector

The attack is network-based and targets the REST API interface on MikroTik RouterOS 7 devices. An attacker with low-level access to the router's REST API can craft a malicious JSON request to the /rest/ip/address/print endpoint containing specially formatted data designed to trigger the buffer overflow. The exploit has been publicly disclosed, increasing the risk of exploitation in the wild.

The vulnerability manifests when malicious JSON input is processed by the parse_json_element function. Technical details and proof-of-concept information are available in the GitHub PoC Repository. Interested researchers can review the Technical Proof of Concept for detailed exploitation mechanics.

Detection Methods for CVE-2025-10948

Indicators of Compromise

• Unusual or malformed REST API requests to /rest/ip/address/print endpoint containing oversized JSON payloads
• Unexpected crashes or restarts of MikroTik RouterOS services related to JSON parsing
• Anomalous memory consumption patterns on affected devices
• Authentication attempts followed by suspicious REST API activity targeting address management functions

Detection Strategies

• Monitor network traffic for unusually large or malformed JSON payloads targeting MikroTik REST API endpoints
• Implement intrusion detection rules to flag requests to /rest/ip/address/print with anomalous payload sizes
• Deploy application-layer firewall rules to inspect and filter malicious JSON content targeting RouterOS devices
• Enable verbose logging on MikroTik devices to capture REST API access patterns and potential exploitation attempts

Monitoring Recommendations

• Configure SIEM alerts for multiple failed or suspicious REST API requests from single source IPs
• Establish baseline REST API usage patterns and alert on significant deviations
• Monitor for service crashes or unexpected reboots on MikroTik devices that may indicate exploitation attempts
• Review access logs for unauthorized or unexpected access to management interfaces

How to Mitigate CVE-2025-10948

Immediate Actions Required

• Upgrade affected MikroTik RouterOS 7 devices to version 7.20.1 or 7.21beta2 immediately
• Restrict REST API access to trusted management networks only using firewall rules
• Implement strong authentication and limit REST API access to essential administrative accounts
• Consider disabling the REST API interface temporarily if not required for operations

Patch Information

MikroTik has acknowledged this vulnerability and confirmed the issue has been fixed in their bug tracker. The vendor recommends upgrading to RouterOS version 7.20.1 or 7.21beta2 to remediate this vulnerability. Users should ensure they upgrade to these versions or any subsequent release that includes the fix. Additional information can be found in the VulDB entry.

Workarounds

• Implement network segmentation to isolate router management interfaces from untrusted networks
• Apply access control lists (ACLs) to restrict REST API access to specific authorized IP addresses
• Deploy a web application firewall (WAF) or reverse proxy to filter and validate JSON requests before they reach the device
• Monitor and rate-limit REST API requests to reduce exploitation window

# MikroTik RouterOS - Restrict REST API access to trusted management subnet
/ip firewall filter
add chain=input src-address=192.168.1.0/24 dst-port=443 protocol=tcp action=accept comment="Allow REST API from management subnet"
add chain=input dst-port=443 protocol=tcp action=drop comment="Block REST API from all other sources"