CVE-2025-42611 Overview
CVE-2025-42611 is an improper certificate validation vulnerability [CWE-295] in MikroTik RouterOS. RouterOS shares a single system-wide certificate trust store across multiple network services, including OpenVPN, CAPsMAN, and Dot1x (802.1X). Any certificate authority trusted in the system store is accepted in any service context, regardless of intended scope. Attackers can leverage this scope confusion to perform partial or full authentication bypass against affected services.
Critical Impact
Authentication bypass in CAPsMAN, OpenVPN, and Dot1x (802.1X) enables network-adjacent attackers to impersonate trusted servers or clients, undermining confidentiality and integrity of protected communications.
Affected Products
- MikroTik RouterOS (services using shared certificate validation logic)
- OpenVPN service on RouterOS
- CAPsMAN and Dot1x (802.1X) services on RouterOS
Discovery Timeline
- 2026-05-05 - CVE-2025-42611 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2025-42611
Vulnerability Analysis
The vulnerability stems from RouterOS using a single, shared certificate store for all services that perform Transport Layer Security (TLS) or certificate-based authentication. Services such as OpenVPN, CAPsMAN, and Dot1x (802.1X) call into common validation logic that consults the system-wide trust store. The validation logic does not enforce per-service scope or purpose constraints on trusted certificate authorities (CAs). Any CA installed for one purpose becomes implicitly trusted by every other service that uses the same code path.
Root Cause
The root cause is a design flaw classified under [CWE-295] Improper Certificate Validation. The shared validation routine treats the entire trust store as authoritative for every consumer, ignoring intended usage boundaries such as Extended Key Usage (EKU) or service-specific CA pinning. An administrator who imports a CA for a narrow purpose, for example a Dot1x RADIUS issuer, unintentionally extends that trust to OpenVPN and CAPsMAN.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker who controls a certificate signed by any CA in the RouterOS trust store can present that certificate to a vulnerable service. The service accepts the certificate as valid, enabling authentication bypass, server impersonation, or client impersonation depending on the targeted protocol. This affects scenarios such as rogue CAPsMAN controllers managing access points, malicious OpenVPN endpoints terminating client tunnels, and unauthorized 802.1X supplicants joining wired or wireless segments.
No verified public proof-of-concept code is available. Refer to the CERT-SI CVE-2025-42611 Advisory for technical details.
Detection Methods for CVE-2025-42611
Indicators of Compromise
- Unexpected OpenVPN, CAPsMAN, or Dot1x sessions established from unfamiliar peer endpoints or with certificates issued by CAs not intended for that service.
- Presence of unexpected certificate authorities in the RouterOS system trust store, particularly CAs imported for unrelated purposes.
- Authentication events where the presented certificate chain terminates at a CA outside the documented service-specific issuance policy.
Detection Strategies
- Audit the RouterOS certificate store and enumerate every trusted CA, then map each CA to the services that should rely on it.
- Correlate VPN, wireless, and 802.1X authentication logs against the expected issuer for each service to identify cross-context certificate use.
- Monitor configuration change events on RouterOS devices for additions to the system certificate store.
Monitoring Recommendations
- Forward RouterOS syslog events covering certificate import, OpenVPN session establishment, and CAPsMAN provisioning to a centralized log platform.
- Alert on first-seen certificate issuers per service and on any authentication using a CA outside an approved allowlist.
- Track device configuration baselines and flag drift in /certificate entries between scheduled audits.
How to Mitigate CVE-2025-42611
Immediate Actions Required
- Inventory all CAs present in the RouterOS system trust store and remove any CA that is not strictly required.
- Restrict management access to RouterOS devices to administrative networks and enforce strong authentication for configuration changes.
- Review OpenVPN, CAPsMAN, and Dot1x configurations to confirm peer identity is validated against the narrowest possible issuer set.
Patch Information
Apply the RouterOS security update referenced in the CERT-SI CVE-2025-42611 Advisory once available from MikroTik. Upgrade all RouterOS devices, including CAPsMAN controllers and managed access points, to the fixed release before re-enabling affected services on untrusted networks.
Workarounds
- Use dedicated, purpose-specific CAs for each service and avoid importing general-purpose or third-party CAs into RouterOS devices that also terminate VPN or 802.1X traffic.
- Where supported, configure services to validate certificates against an explicit issuer or pinned certificate rather than relying on the shared trust store.
- Disable OpenVPN, CAPsMAN, or Dot1x services on devices where they are not actively required until a patched RouterOS version is deployed.
# Configuration example: list and remove unneeded trusted CAs in RouterOS
/certificate print where trusted=yes
/certificate set [find name="unneeded-ca"] trusted=no
/certificate remove [find name="unneeded-ca"]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
