LiveActive security incident?Get immediate response
CVE Record

CVE-2018-14847: MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote a...

MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files due to a directory traversal vulnerability in the WinBox interface.

CriticalCVSS 9.1Known exploitedUpdated
Glexia's TakeAutomated analysiscritical

Security readout for executives and security teams

Plain-English summary

This flaw lets unauthenticated remote attackers read files from MikroTik RouterOS devices through the WinBox interface. Authenticated attackers may also write arbitrary files. Because CISA lists CVE-2018-14847 in KEV, defenders should treat exposed affected devices as actively targeted, not theoretical.

Executive priority

Immediate priority for perimeter and branch routers. This is an older but known-exploited critical management-plane flaw with public exploit material, so unresolved exposure can create direct compromise risk.

Technical view

CVE-2018-14847 is a CWE-22 directory traversal issue in MikroTik RouterOS through 6.42 WinBox. The CVSS 3.1 score is 9.1, with network access, low complexity, no user interaction, and no privileges required for file read. Integrity impact applies where authentication is available for file write.

Likely exposure

Highest exposure is MikroTik RouterOS through 6.42 with WinBox reachable from untrusted networks. The bundle does not provide CPEs or a complete affected-version matrix beyond RouterOS through 6.42.

Exploitation context

CISA KEV inclusion confirms known exploitation. The source bundle also lists public exploit and proof-of-concept references, increasing operational risk for internet-exposed management interfaces.

Researcher notes

Evidence is strong for vulnerability class, affected line, severity, public exploit availability, and known exploitation. The provided bundle does not include detailed vendor fixed-version text, so remediation should be anchored to MikroTik guidance.

Mitigation direction

  • Review MikroTik WinBox vulnerability guidance and apply vendor-recommended RouterOS updates.
  • Restrict WinBox management access to trusted administrative networks only.
  • Prioritize externally reachable RouterOS devices through 6.42 for remediation.
  • Disable unnecessary remote management exposure until vendor guidance is applied.
  • Investigate affected devices for unauthorized configuration or file access.

Validation and detection

  • Inventory MikroTik RouterOS devices and record exact RouterOS versions.
  • Identify any RouterOS through 6.42 systems with WinBox enabled.
  • Verify whether WinBox is reachable from the internet or untrusted networks.
  • Confirm vendor guidance has been applied on each affected device.
  • Review device configuration and logs for suspicious administrative changes.
Prepared
Confidence
high
Sources
6

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-22: File access and web shell behavior lookup

File traversal and upload weaknesses can lead teams to review file, web shell, execution, and collection telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

File access behavior lookup

The CVE wording references file access or upload behavior, so file telemetry and web shell review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2018-14847 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.1 (3.1)
Known Exploited
Yes
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
10Source links

CISA KEV status

Status
Known exploited
Source
CISA / ADP
Date added
Not provided

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.1CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N3.95.2Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

9.1Critical
CVSS 3.1 vector shape for CVE-2018-14847Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-22 · source CWE mapping

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.