A critical remote code execution (RCE) vulnerability, identified as CVE-2025-61481, has been discovered in MikroTik RouterOS and SwitchOS. This flaw, with a CVSS score of 10.0, allows a remote unauthenticated attacker to gain complete control of an affected device through its web-based management interface. Successful exploitation poses a severe risk, potentially leading to a full network compromise, data theft, and service disruption.

This vulnerability is a critical remote code execution (RCE) flaw within the HTTP-only WebFig management component of MikroTik devices. An attacker can exploit this issue by sending a specially crafted, malicious request to the device's web management interface. Due to a flaw in how this request is processed, the attacker can execute arbitrary code on the underlying operating system with high privileges, leading to a complete compromise of the networking device.

This vulnerability is rated as critical severity with a CVSS score of 10.0, representing the highest possible risk. A successful exploit would grant an attacker complete administrative control over the affected router or switch. This could lead to severe consequences, including the interception and theft of all network traffic, widespread network outages, and using the compromised device as a launchpad for further attacks against the internal network. The potential for data breaches, operational downtime, and reputational damage is exceptionally high.

Immediate Action: Immediately update all affected MikroTik RouterOS and SwitchOS devices to the latest patched version provided by the vendor. After patching, review system and access logs for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Actively monitor access logs for the WebFig management interface, looking for unusual or repeated login attempts from unknown IP addresses. Network traffic should be monitored for any unexpected outbound connections originating from the MikroTik device itself. System integrity checks should be performed to detect unauthorized configuration changes, new user accounts, or suspicious running processes.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Restrict access to the WebFig management interface to a limited set of trusted IP addresses using firewall rules.
• If WebFig is not required for management, disable the service entirely.
• Ensure the management interface is not exposed to the public internet.

Public Exploit Available: false

Due to the critical severity of this remote code execution vulnerability, we recommend immediate and decisive action. Organizations must prioritize applying the vendor-supplied patches to all affected MikroTik devices without delay. Until patches can be applied, access to the WebFig management interface should be strictly limited to trusted networks and IP addresses. The high probability of future exploitation demands that this vulnerability be treated as an active and severe threat to the network infrastructure.