CVE-2023-32154

在10/05/2023 Mikro(2023年5月10日)Tik received information about a new vulnerability, which is assigned the ID CVE-2023-32154. The report stated, thatvendor(MikroTik) was contacted in December, but we did not find record of such communication. The original report also says, thatvendorwas informed in person in an event in Toronto, where MikroTik was not present in any capacity.

What this issue affects:The issue affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver functionality.You are only affected ifone of the below settings is applied:

ipv6/settings/ set accept-router-advertisements=yes or ipv6/settings/set forward=no accept-router-advertisements=yes-if-forwarding-disabled

If the above settings are not set up like in the example, you are not affected. Note that the vulnerable setting combination is not normally found in routers and is rarely used.

What this issue can cause:This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability.

Recommended course of action:You can disable IPv6 advertisements,or upgradeto RouterOS 7.9.1, 6.49.8, 6.48.7, 7.10beta8 (all versions already released), and of course newer versions afterwards.