Introduction
Remote attackers have a new vector for compromising MikroTik RouterOS 7 deployments via the REST API. This buffer overflow vulnerability in the JSON parsing logic can lead to memory corruption and potentially remote code execution, with public exploits already circulating. MikroTik is a widely used networking vendor with significant presence in ISP, enterprise, and critical infrastructure environments. Their RouterOS platform powers hundreds of thousands of routers and wireless devices globally, making vulnerabilities in this ecosystem highly impactful for the internet at large.
Technical Information
CVE-2025-10948 is a buffer overflow vulnerability in MikroTik RouterOS 7, specifically in the parse_json_element function within the libjson.so shared library. This function is invoked by the REST API endpoint /rest/ip/address/print, which is commonly used for retrieving IP address information via JSON-based API calls.
The vulnerability arises due to insufficient bounds checking when parsing JSON input. When a remote attacker sends a specially crafted JSON payload to this endpoint, the parse_json_element function copies user-supplied data into a fixed-size buffer without proper validation of the input length. This leads to a classic buffer overflow condition, where data written past the end of the buffer can corrupt adjacent memory structures.
The vulnerability is classified under:
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input
This flaw can be triggered remotely, without authentication, if the REST API is exposed to untrusted networks. The exploit leverages the ability to send oversized or specially crafted JSON elements that cause the vulnerable function to overwrite memory, potentially leading to arbitrary code execution depending on the memory layout and system protections.
No official patch or detection method is available as of the publication date. Exploit code and technical details have been published publicly:
Affected Systems and Versions
- MikroTik RouterOS 7
- Vulnerable component: libjson.so, specifically the parse_json_element function
- Vulnerable endpoint: /rest/ip/address/print
- Only RouterOS 7 is confirmed affected; earlier versions are not mentioned in public sources
- Systems with the REST API enabled and accessible from untrusted networks are at highest risk
Vendor Security History
MikroTik has a documented history of buffer overflow and remote code execution vulnerabilities in RouterOS. Notable examples include:
- CVE-2018-7445: SMB stack buffer overflow, enabled remote code execution
- CVE-2023-30799: Authentication bypass and privilege escalation in RouterOS
The vendor's response to security disclosures has been inconsistent. For CVE-2025-10948, MikroTik did not respond to early disclosure attempts. Previous vulnerabilities have also seen delayed or incomplete patching, and the security maturity of the vendor has been questioned by the research community.
References
- NVD entry for CVE-2025-10948
- Official CVE entry
- GitHub PoC and technical details
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-120: Buffer Copy without Checking Size of Input
Additional references: