CVE-2015-2350

Name of the Vulnerable Software and Affected Versions MikroTik RouterOS versions prior to 5.0

Description A cross-site request forgery issue allows remote attackers to hijack administrator authentication for requests that change the administrator password. This is achieved via a request in the status page to "/cfg" API endpoint, specifically targeting the password variable.

Recommendations For versions prior to 5.0, as a temporary workaround, consider restricting access to the "/cfg" API endpoint until a patch is available. Avoid using the password variable in the affected API endpoint until the issue is resolved.