Cyber Resilience

CVE-2023-30800

HighPublic PoC

Published: 07 September 2023

Published
07 September 2023
Modified
21 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0426 89.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-30800 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Mikrotik Routeros. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 10.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a heap memory corruption flaw (CWE-787) in the web server component of MikroTik RouterOS version 6. A remote attacker can trigger the issue by sending a specially crafted HTTP request, which corrupts heap memory and causes the web interface to crash and restart immediately. RouterOS version 7 is unaffected, and the flaw was resolved in the 6.49.10 stable release.

An unauthenticated attacker with network access can exploit the weakness without any user interaction or credentials. Successful exploitation results only in a denial-of-service condition against the web interface; no confidentiality or integrity impact is possible according to the CVSS vector.

Public advisories from VulnCheck note that the defect was addressed by upgrading to RouterOS 6.49.10 stable, which eliminates the heap corruption vector in the jsproxy web component.

EPSS for this CVE rose from lower values to a peak of 0.1037 before receding to the current 0.0426, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The web server used by MikroTik RouterOS version 6 is affected by a heap memory corruption issue. A remote and unauthenticated attacker can corrupt the server's heap memory by sending a crafted HTTP request. As a result, the web interface…

more

crashes and is immediately restarted. The issue was fixed in RouterOS 6.49.10 stable. RouterOS version 7 is not affected.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mikrotik
routeros
6.0 — 6.49.10

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References