CVE-2019-3977

Name of the Vulnerable Software and Affected Versions RouterOS versions 6.45.6 and earlier RouterOS versions 6.44.5 and earlier

Description The issue is related to insufficient validation of upgrade packages when using the autoupgrade feature, allowing a remote attacker to trick the router into "upgrading" to an older version of RouterOS. This could lead to the reset of all system usernames and passwords, potentially giving the attacker unauthorized access to the system. The vulnerability is associated with the download of code without checking its integrity.

Recommendations For RouterOS versions 6.45.6 and earlier, consider disabling the autoupgrade feature until a patch is available to prevent potential exploitation. For RouterOS versions 6.44.5 and earlier, restrict access to the upgrade feature to minimize the risk of exploitation. Avoid using the autoupgrade feature in RouterOS until the issue is resolved.