MikroTik RouterOS/SwOS WebFig Plaintext Credential Interception (CVE-2025-61481)

Key Information Vulnerability Description CVE ID: CVE-2025-61481 Affected Products: MikroTik RouterOS and SwOS WebFig default HTTP configuration allows credential interception Description: - By default, the WebFig management interface is served over HTTP without automatic redirection to HTTPS. - After a factory reset, the management UI—including the login page and associated JavaScript—is fully loaded over plaintext HTTP. - During authentication, client-side scripts send usernames and passwords in plaintext over port 80. - Attackers can capture these credentials and tamper with management traffic. Impact Exposure of management plane credentials and potential configuration tampering. Affected Versions RouterOS: 7.14.2 and earlier SwOS: 2.19 (based on CRS326-24G-2S+ and similar models) Mitigation Use management interfaces only on trusted networks. Enable HTTPS for WebFig (if available) or use encrypted management channels such as SSL or VPN tunnels. Test all HTTP-only management interfaces to ensure they are not unencrypted and sensitive, until HTTPS is enabled by default. CWE CWE-1188: Resource initialized with insecure default values CWE-319: Cleartext transmission of sensitive information CWE-200: Exposure of sensitive information to an unauthorized actor PoC Video demonstration of the attack process. CVSS Score v3.1: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L = 10.8 v4.0: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L = 10.8 Attack Vector Network (N) — MitM attackers can intercept and modify HTTP traffic. Privileges Required None (N) — Attackers only need network position (MitM). User Interaction None (N) — No user interaction required. Scope Changed (C) — Attackers can alter device configuration and affect the network. Confidentiality High (H) — Exposure of admin credentials/session tokens leads to credential leakage. Integrity High (H) — Attackers can modify device configuration, inject routes, and alter behavior. Availability Low (L) — Attackers can disrupt network or configuration, but availability disruption is not required for exploitation. Discoverer Oliver Bolin References MikroTik Documentation Research Announcement

Goal Reached Thanks to every supporter — we hit 100%!

MikroTik RouterOS/SwOS WebFig Plaintext Credential Interception (CVE-2025-61481)