CVE-2020-5721

Name of the Vulnerable Software and Affected Versions MikroTik WinBox versions 3.22 and below

Description The issue is related to insufficient protection of registration data in the settings.cfg.viw configuration file. When the Keep Password field is set and no Master Password is set, the user's cleartext password is stored in this file. By default, Keep Password is enabled, and Master Password is not set. An attacker with access to the configuration file can extract a username and password, allowing them to gain unauthorized access to the router.

Recommendations For MikroTik WinBox versions 3.22 and below, consider setting a Master Password to protect the configuration file and stored credentials. As a temporary workaround, restrict access to the settings.cfg.viw configuration file to minimize the risk of exploitation. Avoid using the default settings for Keep Password and Master Password to prevent cleartext password storage.