Cyber Resilience

CVE-2018-14847

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 02 August 2018

Published
02 August 2018
Modified
07 November 2025
KEV Added
01 December 2021
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.9365 99.9th percentile
Risk Priority 94 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-14847 is a critical-severity Path Traversal (CWE-22) vulnerability in Mikrotik Routeros. Its CVSS base score is 9.1 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

MikroTik RouterOS through version 6.42 contains a directory traversal vulnerability, tracked as CVE-2018-14847 and assigned CWE-22, in its WinBox interface. The flaw permits unauthenticated remote attackers to read arbitrary files on affected devices and allows remote authenticated attackers to write arbitrary files, resulting in a CVSS 3.1 base score of 9.1.

Unauthenticated attackers reachable over the network can exploit the issue with low complexity to obtain sensitive file contents without any privileges or user interaction. Authenticated attackers can additionally achieve arbitrary file writes, enabling modification of router configuration or other system files.

Public proof-of-concept code and exploit repositories demonstrate the vulnerability's practical exploitability, including targeted read and write primitives against the WinBox service.

EU & UK References

Vulnerability details

MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

CWE(s)
KEV Date Added
01 December 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mikrotik
routeros
≤ 6.42

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks on WinBox file operations, blocking the unauthenticated reads and unauthorized writes that CVE-2018-14847 exploits.

prevent

Requires validation of path inputs to the WinBox interface, preventing the directory traversal sequences (CWE-22) used to read or write arbitrary files.

prevent

Limits privileges of authenticated WinBox sessions so that even successful authentication cannot be abused for arbitrary file writes as permitted by the vulnerability.

References