CVE-2025-6443 Overview
CVE-2025-6443 is an improper access control vulnerability [CWE-284] in Mikrotik RouterOS affecting Virtual Extensible LAN (VXLAN) traffic processing. The flaw allows unauthenticated remote attackers to bypass source IP restrictions and inject traffic into internal networks fronted by a RouterOS device. The vulnerability was reported through the Zero Day Initiative as ZDI-CAN-26415 and assigned advisory identifier ZDI-25-424.
RouterOS does not validate the remote IP address of incoming VXLAN packets against the operator-configured remote endpoints before forwarding traffic into the overlay network. An attacker who can route packets to the affected device can spoof a permitted VXLAN peer and reach internal resources.
Critical Impact
Unauthenticated attackers can bypass VXLAN access restrictions and gain ingress to internal network resources behind a RouterOS device.
Affected Products
- Mikrotik RouterOS (all versions matching cpe:2.3:o:mikrotik:routeros:*:*:*:*:-:*:*:*)
- Devices with VXLAN tunneling configured
- Network segments relying on RouterOS for VXLAN peer enforcement
Discovery Timeline
- 2025-06-25 - CVE-2025-6443 published to the National Vulnerability Database
- 2025-08-18 - Last updated in NVD database
Technical Details for CVE-2025-6443
Vulnerability Analysis
The vulnerability resides in the VXLAN traffic handler within Mikrotik RouterOS. VXLAN is an overlay protocol that encapsulates Layer 2 Ethernet frames inside UDP packets, typically on port 4789, to extend virtual networks across Layer 3 boundaries. Operators define remote VXLAN tunnel endpoints (VTEPs) so the device only accepts encapsulated traffic from trusted peers.
RouterOS fails to enforce that check. The handler accepts VXLAN packets without comparing the outer source IP address against the configured remote peer list. Any host that can deliver a VXLAN-encapsulated UDP datagram to the device is treated as a legitimate peer, and the decapsulated inner frames are forwarded onto the internal overlay segment.
The attack vector is network-based and requires no authentication or user interaction. Successful exploitation gives the attacker the ability to inject arbitrary Layer 2 traffic into internal VLANs, reach hosts that should be isolated, and pivot deeper into the environment.
Root Cause
The root cause is missing source validation in the VXLAN ingress path. Configured remote IP values exist in the operator policy but are not consulted before traffic is admitted, producing a broken access control condition tracked as [CWE-284].
Attack Vector
An attacker sends crafted VXLAN-encapsulated UDP packets to the WAN-facing interface of an affected RouterOS device. Because no peer verification occurs, the inner frames are decapsulated and bridged onto the internal VXLAN-attached network, exposing internal services to the attacker.
No verified public exploit code is available. Technical details are described in the Zero Day Initiative Advisory ZDI-25-424.
Detection Methods for CVE-2025-6443
Indicators of Compromise
- Inbound UDP traffic on port 4789 (VXLAN) from source addresses not present in the configured remote peer list
- Unexpected MAC addresses appearing on internal VXLAN segments
- ARP or DHCP activity on internal overlays originating from hosts that have no legitimate VTEP relationship
Detection Strategies
- Compare the source IP of received VXLAN packets against the RouterOS VXLAN remote peer configuration and alert on mismatches
- Inspect bridge and VXLAN interface counters in RouterOS for unexplained increases in received frames
- Correlate firewall logs at upstream devices with internal overlay traffic to identify spoofed VTEP sources
Monitoring Recommendations
- Enable logging on firewall rules that match UDP/4789 and forward logs to a centralized SIEM
- Monitor for new or unexpected Layer 2 endpoints on VXLAN-backed bridges
- Track configuration changes to VXLAN interfaces and remote peer lists on RouterOS devices
How to Mitigate CVE-2025-6443
Immediate Actions Required
- Upgrade Mikrotik RouterOS to the latest stable release that addresses CVE-2025-6443
- Restrict UDP/4789 ingress at perimeter firewalls to known VTEP peer addresses only
- Audit existing VXLAN configurations to confirm remote endpoint definitions match operational expectations
Patch Information
Refer to the Zero Day Initiative Advisory ZDI-25-424 and Mikrotik vendor channels for the fixed RouterOS release. Apply the vendor-supplied update to enforce remote IP validation on VXLAN ingress.
Workarounds
- Block inbound VXLAN (UDP/4789) traffic on internet-facing interfaces using RouterOS firewall rules
- Apply IPsec or another authenticated transport beneath VXLAN to cryptographically validate peers
- Isolate VXLAN management to a dedicated, access-controlled transport network
# Configuration example: restrict VXLAN ingress to known peers on RouterOS
/ip firewall filter
add chain=input protocol=udp dst-port=4789 src-address=<trusted-vtep-ip> action=accept comment="Allow trusted VTEP"
add chain=input protocol=udp dst-port=4789 action=drop comment="Drop untrusted VXLAN"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
