Description:
MikroTik RouterOS through version 7.14.2 and SwOS through version 2.18 initialize the WebFig management interface with HTTP enabled by default and without automatic redirection to HTTPS. After a factory reset, the management UI including the login page and associated JavaScript loads entirely over cleartext HTTP. During authentication, the client-side script stores the username and password in window.sessionStorage and transmits credentials over port 80, allowing interception by any on-path attacker. Packet capture confirms that management traffic and credentials are fully visible and modifiable in transit.
This insecure default configuration exposes administrators to credential theft and session tampering via simple man-in-the-middle attacks on the local network. The issue affects devices such as CRS326-24G-2S+ and likely other models using the same WebFig component in RouterOS and SwOS.

Impact:
Exposure of management-plane credentials and possible configuration tampering by an on-path attacker.

Attack prerequisites:
An attacker must have network-level access capable of intercepting or modifying HTTP traffic between the administrator’s browser and the device.

Affected versions:

• RouterOS 7.14.2 (stable)
• SwOS 2.18 (tested on CRS326-24G-2S+)
  Other devices using the same WebFig component are likely affected.

Mitigation:
Place management interfaces on isolated, trusted networks. Enable HTTPS for WebFig where possible, or use encrypted management channels such as SSH or VPN tunnels. Administrators should treat all HTTP-only management interfaces as unencrypted and sensitive until HTTPS is enforced by default.

CWE:

• CWE-1188 – Initialization of a Resource with an Insecure Default
• CWE-319 – Cleartext Transmission of Sensitive Information
• CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

PoC

N3mes1s full reproduction report

https://gist.github.com/N3mes1s/79849e333186cedfd3d53661cbcba719

Suggested CVSS v3.1 vector (base):
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L = 10.0

Suggested CVSS v4.0 vector (base, approximate):
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L ≈ 10.0

Attack Vector (AV): Network (N) — a network on-path attacker (same LAN, compromised AP, upstream device) can intercept and modify HTTP traffic.

Attack Complexity (AC): Low (L) — no advanced skills required beyond basic MITM/sniffing and injecting JS into HTTP-served script.

Privileges Required (PR): None (N) — attacker only needs network position (on-path).

User Interaction (UI): None (N) — no user interaction required.

Scope (S): Changed (C) — compromising the management interface can change device configuration and affect networks beyond the local component.

Confidentiality (C): High (H) — exposed admin credentials/session tokens lead to credential disclosure.

Integrity (I): High (H) — attacker can change device configuration, inject routes, modify behavior.

Availability (A): Low (L) — attacker can disrupt network or configuration but destruction of availability is not required to exploit (low rather than none because admin can be locked out or configs changed causing outages).

Credits:
Discovered by Oliver.

References:

MikroTik documentation: https://help.mikrotik.com/docs/spaces/ROS/pages/31805642/WebFig

// Oliver