Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61481

CVE-2025-61481: MikroTik RouterOS/SwOS XSS Vulnerability

CVE-2025-61481 is an XSS flaw in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 that allows attackers to inject JavaScript and intercept admin credentials. This post covers its technical details, impact, and mitigation.

Updated:

CVE-2025-61481 Overview

CVE-2025-61481 affects MikroTik RouterOS v7.14.2 and SwOS v2.18, which expose the WebFig management interface over cleartext HTTP by default. An on-path attacker positioned between an administrator and the device can intercept management traffic. The attacker can inject JavaScript into the administrator's browser session and capture credentials transmitted in plaintext.

The vulnerability stems from missing transport encryption on the administrative interface. This issue is classified under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor). Successful exploitation grants attackers administrative access to network infrastructure devices, enabling full control over routing and switching functions.

Critical Impact

Network-adjacent attackers can intercept administrator credentials and execute JavaScript in browser sessions, leading to full compromise of MikroTik network devices.

Affected Products

  • MikroTik RouterOS v7.14.2
  • MikroTik SwOS v2.18
  • MikroTik devices using the WebFig management interface with default configuration

Discovery Timeline

  • 2025-10-27 - CVE-2025-61481 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-61481

Vulnerability Analysis

The WebFig interface is MikroTik's browser-based configuration tool for RouterOS and SwOS devices. In the affected versions, the interface listens on HTTP by default and transmits all session data, including authentication credentials, without encryption. An attacker on the same network segment as the administrator can passively capture this traffic.

Beyond passive interception, the attacker can actively modify HTTP responses in transit. Injected JavaScript executes within the administrator's authenticated session context. This allows the attacker to perform configuration changes, exfiltrate device state, or pivot to other management functions. The combination of credential theft and script injection makes the management interface a high-value target during man-in-the-middle (MITM) attacks.

Root Cause

The root cause is an insecure default configuration. RouterOS and SwOS ship with HTTP enabled and HTTPS not enforced on the WebFig endpoint. Administrators who do not explicitly configure TLS leave the management plane exposed to network-layer adversaries.

Attack Vector

Exploitation requires an on-path position between the administrator's workstation and the MikroTik device. Common scenarios include shared LAN segments, compromised intermediate routers, ARP spoofing on switched networks, or rogue Wi-Fi access points. The attacker observes HTTP traffic to the WebFig interface and either records credentials or injects script payloads into responses. No authentication or user interaction beyond the administrator's normal login activity is required.

No verified public proof-of-concept code is available. See the Svarthatt CVE-2025-61481 Analysis for additional technical context.

Detection Methods for CVE-2025-61481

Indicators of Compromise

  • Unexpected HTTP traffic to TCP port 80 on MikroTik device management IPs from non-administrative hosts
  • Modifications to WebFig configuration occurring outside scheduled maintenance windows
  • New administrative users, scheduler scripts, or firewall rules appearing on RouterOS or SwOS devices
  • ARP table anomalies on management network segments indicating possible ARP spoofing

Detection Strategies

  • Monitor network flows for cleartext HTTP sessions targeting MikroTik management interfaces and alert on any administrative login over port 80
  • Inspect device logs for authentication events from unexpected source addresses or at unusual times
  • Use network detection tools to identify ARP spoofing and rogue gateway activity on segments containing network management traffic

Monitoring Recommendations

  • Forward RouterOS and SwOS syslog data to a centralized log platform and apply correlation rules for configuration changes
  • Baseline normal administrative access patterns and alert on deviations in source IP, time of day, or frequency
  • Continuously inventory MikroTik devices and verify that HTTPS is enforced on each WebFig endpoint

How to Mitigate CVE-2025-61481

Immediate Actions Required

  • Disable HTTP access to WebFig on all RouterOS and SwOS devices and enforce HTTPS only
  • Restrict management interface access to a dedicated management VLAN or trusted source IP ranges
  • Rotate all administrative credentials that may have traversed cleartext HTTP sessions
  • Audit device configurations for unauthorized changes, new users, scripts, or firewall rules

Patch Information

MikroTik has not published a specific patch identifier associated with CVE-2025-61481 in the referenced advisory. Administrators should upgrade to the latest stable RouterOS and SwOS releases and apply the secure configuration steps documented in the MikroTik WebFig Documentation and MikroTik SwOS Documentation.

Workarounds

  • Enable the www-ssl service in RouterOS with a valid TLS certificate and disable the plain www service
  • Configure SwOS to require HTTPS access and block HTTP at the network layer using ACLs on upstream switches
  • Place management interfaces behind a VPN and prohibit direct access from production network segments
  • Use SSH or the WinBox client with strong authentication as an alternative to the WebFig HTTP interface
bash
# Configuration example - RouterOS: disable HTTP, enforce HTTPS for WebFig
/ip service disable www
/ip service set www-ssl certificate=webfig-cert disabled=no
/ip service set www-ssl address=192.0.2.0/24

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.