CVE-2025-10948
Published: 25 September 2025
Summary
CVE-2025-10948 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-10948 is a buffer overflow vulnerability in MikroTik RouterOS version 7, specifically affecting the parse_json_element function within the libjson.so component at the /rest/ip/address/print endpoint. The issue stems from improper handling of JSON elements, allowing remote manipulation that triggers the overflow, as classified under CWE-119 and CWE-120. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers with low-privilege remote access, such as authenticated users via the network, can exploit this vulnerability without user interaction. Successful exploitation enables arbitrary code execution or system compromise, granting high levels of confidentiality, integrity, and availability impact, potentially leading to full control over the affected RouterOS device.
Mitigation requires upgrading to RouterOS versions 7.20.1 or 7.21beta2, which address the issue. The vendor has confirmed the fix in their bug tracker and plans to include it in the next release, urging users to update promptly. A public proof-of-concept exploit is available on GitHub, demonstrating the buffer overflow in libjson-unicode handling.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-31088
Vulnerability details
A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component libjson.so. The manipulation leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has…
more
been disclosed to the public and may be used. Upgrading to version 7.20.1 and 7.21beta2 mitigates this issue. You should upgrade the affected component. The vendor replied: "Our bug tracker reports that your issue has been fixed. This means that we plan to release a RouterOS update with this fix. Make sure to upgrade to the next release when it comes out."
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in exposed REST API endpoint (/rest/ip/address/print) allows authenticated low-priv remote users to achieve RCE and full system compromise on RouterOS device.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates timely identification, reporting, prioritization, and correction of software flaws like this buffer overflow via patching to RouterOS 7.20.1 or 7.21beta2.
Provides memory protections such as address space layout randomization and non-executable memory to mitigate exploitation of the buffer overflow for arbitrary code execution.
Requires validation of information inputs like JSON elements to the parse_json_element function to prevent malformed data from triggering the buffer overflow.