Skip to main content
CVE Vulnerability Database

CVE-2025-6443: Mikrotik RouterOS Auth Bypass Vulnerability

CVE-2025-6443 is an authentication bypass vulnerability in Mikrotik RouterOS VXLAN that allows unauthenticated attackers to access internal network resources. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-6443 Overview

CVE-2025-6443 is an improper access control vulnerability in Mikrotik RouterOS affecting the handling of Virtual Extensible LAN (VXLAN) traffic. The flaw allows remote, unauthenticated attackers to bypass source IP restrictions and inject traffic into the internal network behind the device. RouterOS does not validate the remote IP address against configured peer values before accepting ingress VXLAN packets. The weakness is tracked under CWE-284 and was reported through Trend Micro's Zero Day Initiative as ZDI-CAN-26415.

Critical Impact

Unauthenticated remote attackers can bypass VXLAN peer restrictions and gain access to internal network resources protected by RouterOS.

Affected Products

  • Mikrotik RouterOS (VXLAN-enabled configurations)
  • Devices exposing VXLAN endpoints to untrusted networks
  • RouterOS deployments using VXLAN for network segmentation or overlay tunneling

Discovery Timeline

Technical Details for CVE-2025-6443

Vulnerability Analysis

The vulnerability resides in the RouterOS VXLAN ingress path. VXLAN is an overlay protocol that encapsulates Layer 2 Ethernet frames inside UDP packets, typically on port 4789. RouterOS allows administrators to define remote VXLAN peers, but the implementation accepts encapsulated traffic without verifying that the outer source IP matches a configured peer. An attacker who can route UDP packets to the VXLAN endpoint can forge encapsulated frames and have them decapsulated into the internal bridged network.

This flaw shifts the attack surface from the routed perimeter to the internal Layer 2 segment. Forged inner Ethernet frames are placed onto the bridge as if they originated from a legitimate tenant, enabling lateral access to hosts and services that were assumed to be isolated.

Root Cause

The root cause is missing validation of the outer source IP address during VXLAN packet ingress. The handler does not compare the source of incoming encapsulated traffic against the operator-configured remote peer list, classifying the condition as Improper Access Control [CWE-284]. Trust is implicitly granted to any host able to reach the VXLAN UDP port.

Attack Vector

Exploitation is performed over the network without authentication or user interaction. An attacker crafts a VXLAN-encapsulated UDP packet with an arbitrary outer source IP and a chosen Virtual Network Identifier (VNI) matching the target tunnel. The packet is sent to the RouterOS device's VXLAN endpoint. RouterOS decapsulates the inner frame and forwards it onto the internal bridge, granting the attacker a foothold on the overlay segment. No credentials, prior access, or social engineering are required.

No public proof-of-concept exploit code is currently available. Refer to the Zero Day Initiative Advisory ZDI-25-424 for vendor coordination details.

Detection Methods for CVE-2025-6443

Indicators of Compromise

  • Inbound UDP traffic to VXLAN port 4789 from source IP addresses that are not configured VXLAN peers
  • Unexpected MAC addresses or ARP entries appearing on bridges associated with VXLAN interfaces
  • Internal hosts logging connections from VXLAN-overlay IP addresses that do not correspond to legitimate tenants

Detection Strategies

  • Correlate firewall and flow logs to identify VXLAN UDP packets whose outer source IP is not in the configured peer list
  • Monitor RouterOS interface counters on VXLAN tunnels for traffic volume anomalies outside operational baselines
  • Alert on new MAC address learning events on VXLAN-attached bridges that originate from outside expected peers

Monitoring Recommendations

  • Forward RouterOS syslog and NetFlow telemetry to a centralized analytics platform for retention and search
  • Baseline legitimate VXLAN peer IPs and continuously alert on deviations
  • Audit RouterOS configuration changes that modify VXLAN peer lists, bridge membership, or firewall filter rules

How to Mitigate CVE-2025-6443

Immediate Actions Required

  • Inventory all RouterOS devices with VXLAN interfaces configured and identify those reachable from untrusted networks
  • Restrict UDP 4789 (or any custom VXLAN port) to known peer IPs using RouterOS firewall input rules
  • Apply the latest RouterOS security update from Mikrotik as soon as it is available for your release channel

Patch Information

Mikrotik has not published a vendor advisory URL in the NVD record at the time of writing. Administrators should consult the Zero Day Initiative Advisory ZDI-25-424 and the official Mikrotik changelog for fixed versions, then upgrade RouterOS through the standard package update mechanism.

Workarounds

  • Enforce strict firewall input rules that drop VXLAN UDP packets unless the source address matches a configured peer
  • Terminate VXLAN tunnels over IPsec or other authenticated transport so unauthenticated peers cannot inject frames
  • Disable VXLAN interfaces on devices where the overlay is not actively required
  • Place VXLAN endpoints on management or transit networks isolated from the public internet
bash
# Configuration example: restrict VXLAN UDP 4789 to known peers on RouterOS
/ip firewall filter
add chain=input protocol=udp dst-port=4789 src-address-list=vxlan-peers action=accept comment="Allow VXLAN from known peers"
add chain=input protocol=udp dst-port=4789 action=drop comment="Drop unauthorized VXLAN ingress"

/ip firewall address-list
add list=vxlan-peers address=203.0.113.10
add list=vxlan-peers address=203.0.113.11

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.