CVE-2024-54772

Published: Feb 11, 2025Modified: Jun 30, 2025

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.5

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

An issue was discovered in the Winbox service of MikroTik RouterOS long-term release v6.43.13 through v6.49.13 and stable v6.43 through v7.17.2. A patch is available in the stable release v6.49.18. A discrepancy in response size between connection attempts made with a valid username and those with an invalid username allows attackers to enumerate for valid accounts.

Affected (3)

Products: Mikrotik: Routeros

1 product

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Mikrotik Routeros	From 6.43 to 6.49.18
Mikrotik Routeros	From 7.1 to 7.18
Mikrotik Routeros	From 6.43.13 to 6.49.13

Related CWEs

Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References (1)

https://github.com/deauther890/CVE-2024-54772

Source: cve@mitre.org

ExploitThird Party Advisory

Timeline

No history available yet.