CVE-2019-15055
Severity Score
6.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
MikroTik RouterOS through 6.44.5 and 6.45.x through 6.45.3 improperly handles the disk name, which allows authenticated users to delete arbitrary files. Attackers can exploit this vulnerability to reset credential storage, which allows them access to the management interface as an administrator without authentication.
MikroTik RouterOS a través de 6.44.5 y 6.45.x a 6.45.3 maneja incorrectamente el nombre del disco, lo que permite a los usuarios autenticados eliminar archivos arbitrarios. Los atacantes pueden aprovechar esta vulnerabilidad para restablecer el almacenamiento de credenciales, lo que les permite acceder a la interfaz de administración como administrador sin autenticación.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-08-14 CVE Reserved
- 2019-08-26 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-08-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://fortiguard.com/zeroday/FG-VD-19-108 | Third Party Advisory | |
| https://forum.mikrotik.com/viewtopic.php?t=151603 | X_refsource_confirm | |
| https://medium.com/tenable-techblog/rooting-routeros-with-a-usb-drive-16d7b8665f90 | Media Coverage |
| URL | Date | SRC |
|---|---|---|
| https://github.com/tenable/routeros/tree/master/poc/cve_2019_15055 | 2024-08-05 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://mikrotik.com/download/changelogs/testing-release-tree | 2020-10-06 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Mikrotik Search vendor "Mikrotik" | Routeros Search vendor "Mikrotik" for product "Routeros" | <= 6.44.5 Search vendor "Mikrotik" for product "Routeros" and version " <= 6.44.5" | - |
Affected
| ||||||
| Mikrotik Search vendor "Mikrotik" | Routeros Search vendor "Mikrotik" for product "Routeros" | >= 6.45 <= 6.45.3 Search vendor "Mikrotik" for product "Routeros" and version " >= 6.45 <= 6.45.3" | - |
Affected
| ||||||