CVE-2022-45313
Published: 05 December 2022
Summary
CVE-2022-45313 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Mikrotik Routeros. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
MikroTik RouterOS versions prior to stable release 7.5 contain an out-of-bounds read vulnerability, tracked as CVE-2022-45313 and assigned CWE-125, in the hotspot process. The flaw is reachable over the network and carries a CVSS 3.1 base score of 8.8, reflecting that an authenticated attacker can supply a crafted nova message to trigger memory corruption.
An attacker with low-privileged network access can exploit the condition without user interaction to execute arbitrary code on the device, resulting in full compromise of confidentiality, integrity, and availability. The attack vector requires only that the hotspot feature be active and that the attacker can reach the management or hotspot interface.
The supplied advisory links describe the issue and provide proof-of-concept material; the version information indicates that upgrading to RouterOS 7.5 or later removes the vulnerable code path. The EPSS score has remained flat at 0.1351 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-48212
Vulnerability details
Mikrotik RouterOs before stable v7.5 was discovered to contain an out-of-bounds read in the hotspot process. This vulnerability allows attackers to execute arbitrary code via a crafted nova message.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.