Cyber Resilience

CVE-2025-10948

High

Published: 25 September 2025

Published
25 September 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.4 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0030 53.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10948 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability. Its CVSS base score is 7.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-10948 is a buffer overflow vulnerability in MikroTik RouterOS version 7, specifically affecting the parse_json_element function within the libjson.so component at the /rest/ip/address/print endpoint. The issue stems from improper handling of JSON elements, allowing remote manipulation that triggers the overflow, as classified under CWE-119 and CWE-120. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with low-privilege remote access, such as authenticated users via the network, can exploit this vulnerability without user interaction. Successful exploitation enables arbitrary code execution or system compromise, granting high levels of confidentiality, integrity, and availability impact, potentially leading to full control over the affected RouterOS device.

Mitigation requires upgrading to RouterOS versions 7.20.1 or 7.21beta2, which address the issue. The vendor has confirmed the fix in their bug tracker and plans to include it in the next release, urging users to update promptly. A public proof-of-concept exploit is available on GitHub, demonstrating the buffer overflow in libjson-unicode handling.

EU & UK References

Vulnerability details

A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component libjson.so. The manipulation leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has…

more

been disclosed to the public and may be used. Upgrading to version 7.20.1 and 7.21beta2 mitigates this issue. You should upgrade the affected component. The vendor replied: "Our bug tracker reports that your issue has been fixed. This means that we plan to release a RouterOS update with this fix. Make sure to upgrade to the next release when it comes out."

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow in exposed REST API endpoint (/rest/ip/address/print) allows authenticated low-priv remote users to achieve RCE and full system compromise on RouterOS device.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3273Shared CWE-119, CWE-120
CVE-2026-4488Shared CWE-119, CWE-120
CVE-2026-6632Shared CWE-119, CWE-120
CVE-2026-3168Shared CWE-119, CWE-120
CVE-2026-5984Shared CWE-119, CWE-120
CVE-2025-14191Shared CWE-119, CWE-120
CVE-2026-4487Shared CWE-119, CWE-120
CVE-2025-15430Shared CWE-119, CWE-120
CVE-2025-11120Shared CWE-119, CWE-120
CVE-2026-2068Shared CWE-119, CWE-120

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely identification, reporting, prioritization, and correction of software flaws like this buffer overflow via patching to RouterOS 7.20.1 or 7.21beta2.

prevent

Provides memory protections such as address space layout randomization and non-executable memory to mitigate exploitation of the buffer overflow for arbitrary code execution.

prevent

Requires validation of information inputs like JSON elements to the parse_json_element function to prevent malformed data from triggering the buffer overflow.

References