CVE-2025-6563— Cross-site scripting via dst parameter in RouterOS WiFi hotspot
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-6563
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Cross-site scripting via dst parameter in RouterOS WiFi hotspot
Source: NVD (National Vulnerability Database)
Vulnerability Description
A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also be converted to a GET request, allowing an attacker to send a specifically crafted URL that automatically logs in the victim (into the attacker's account) and triggers the payload.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
MikroTik RouterOS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MikroTik RouterOS是拉脱维亚MikroTik公司的一套基于Linux开发的路由器操作系统。该系统可部署在PC中,使其提供路由器功能。 MikroTik RouterOS 7.19.2之前版本存在安全漏洞,该漏洞源于跨站脚本攻击,可能导致执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-6563
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-6563
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: RouterOS
- CVE-2025-42611
Improper certificate validation in multiple RouterOS service - CVE-2026-7668
MikroTik RouterOS SCEP Endpoint scep.p ASN1_STRING_data out- - CVE-2025-10948
MikroTik RouterOS libjson.so print parse_json_element buffer - CVE-2025-6443
Mikrotik RouterOS VXLAN Source IP Improper Access Control Vu - CVE-2023-32154
Mikrotik RouterOS RADVD Out-Of-Bounds Write Remote Code Exec
Same vendor: MikroTik
- CVE-2025-42611
Improper certificate validation in multiple RouterOS service - CVE-2026-7668
MikroTik RouterOS SCEP Endpoint scep.p ASN1_STRING_data out- - CVE-2025-10948
MikroTik RouterOS libjson.so print parse_json_element buffer - CVE-2025-6443
Mikrotik RouterOS VXLAN Source IP Improper Access Control Vu - CVE-2023-32154
Mikrotik RouterOS RADVD Out-Of-Bounds Write Remote Code Exec
Same weakness: CWE-20
V. Comments for CVE-2025-6563
No comments yet