CVE-2025-10948: High Vulnerability in MikroTik RouterOS

A high-severity vulnerability has been identified in MikroTik RouterOS 7, specifically affecting the function parse_json_element in the file /rest/ip/address/print of the component libjson.so. This vulnerability allows for a buffer overflow, which can be exploited remotely. The CVSS score for this vulnerability stands at 7.4, indicating a significant risk to affected systems. Organizations using this version of RouterOS should prioritize remediation efforts due to the potential for serious compromise.

Given the nature of the vulnerability, the risk to organizations includes unauthorized access and data manipulation. The exploit has already been disclosed publicly, heightening the urgency for affected users. Organizations should upgrade to version 7.20.1 or 7.21beta2, as these versions contain fixes for this vulnerability. Immediate action is crucial to mitigate the risks associated with this vulnerability.

As the vulnerability is currently classified as awaiting analysis, organizations must remain vigilant in monitoring for any updates from MikroTik regarding available patches. The time to act is now, as attackers may leverage this vulnerability in the wild.

Organizations should prioritize patching immediately.

Vulnerability Details

The vulnerability allows for a buffer overflow in MikroTik RouterOS 7, specifically within the libjson.so component. The vulnerability was published on September 25, 2025, and has a CVSS score of 7.4, classified as high severity. It has impacts on confidentiality, integrity, and availability, making it critical for organizations to address.

The affected component is libjson.so within MikroTik RouterOS 7. The Common Weakness Enumeration (CWE) classifications for this vulnerability include CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input).

Technical Analysis

The root cause of this vulnerability lies in improper handling of JSON parsing within the RouterOS codebase. The attack vector is network-based, allowing remote exploitation without requiring physical access to the device. The attack complexity is low, with minimal privileges required for execution. No user interaction is necessary for an attack to succeed.

Exploitation may lead to significant impacts on confidentiality, integrity, and availability of the system, as the overflow can corrupt memory and allow for arbitrary code execution. Organizations should be aware of the potential blast radius, as a successful exploit could compromise sensitive data and services.

Risk & Impact Analysis

The potential risk to organizations is considerable, given the network-exploitable nature of this vulnerability and its high CVSS score. The urgency is further compounded by the public disclosure of the exploit, enabling attackers to develop and deploy attacks quickly. Affected organizations must assess their exposure and implement necessary mitigations to prevent unauthorized access and data breaches.

Organizations should address this vulnerability in their priority patch cycle to reduce the likelihood of exploitation. The high-profile nature of the vulnerability necessitates immediate attention and appropriate risk management strategies.

Exploitation Status

Affected Versions

This vulnerability affects MikroTik RouterOS 7, with specific versions including 7.20.1 and 7.21beta2 provided as mitigations. Organizations should ensure they upgrade to these versions or later to avoid exploitation.

Mitigation & Remediation

To mitigate the risks associated with CVE-2025-10948, organizations should upgrade their MikroTik RouterOS to version 7.20.1 or 7.21beta2. In the absence of an immediate patch, organizations should consider implementing network controls to restrict access to vulnerable services and monitor for unusual activity that may indicate exploitation attempts. Proper configuration hardening and continuous security testing are also recommended.

Organizations should validate remediation efforts through penetration testing to ensure effectiveness against similar vulnerabilities.

Detection Guidance

Organizations should monitor logs for indicators of exploitation attempts, including unexpected access to the /rest/ip/address/print endpoint. Behavioral anomalies such as unusual API requests or spikes in traffic should be investigated. Additionally, network signatures for known attack patterns may help in early detection of malicious activity.

AppSecure Threat Intelligence Insight

The vulnerability in MikroTik RouterOS underscores the importance of maintaining up-to-date systems and the risks posed by public disclosures of exploits. Security teams should conduct regular assessments and stay informed about vulnerabilities affecting their infrastructure. Implementing comprehensive security measures, including application security assessments, can help mitigate similar threats in the future. The trend of remote vulnerabilities highlights the need for robust network defenses and incident response planning.

For organizations utilizing cloud services, understanding the implications of vulnerabilities such as this is crucial. Regular reviews of security policies and engagement in proactive security measures, such as cloud penetration testing, can enhance security posture significantly.

Lastly, organizations should consider engaging in red teaming exercises to identify potential weaknesses before they can be exploited by threat actors.