An attacker sends a specially crafted LOGIN_REQUEST packet to port 8291 (WinBox) of the target MikroTik router. No credentials are provided. Instead, the packet contains a malformed username field with a predetermined length (e.g., 256 bytes) that triggers a stack-based buffer overflow in the session_manager process.
MikroTik released version 6.47.10 as part of its stable "long-term" lifecycle to patch serious vulnerabilities discovered during the 2021-2022 threat landscape. However, because many organizations neglect timely firmware management, devices running 6.47.10 occasionally remain exposed to older unpatched vectors or configuration errors. 1. The SCEP Server Buffer Overflow (CVE-2021-41987) mikrotik 64710 exploit
If you do not use specific management tools, turn them off to minimize your attack surface. Go to and disable Webfig, API, or SSH if they are not strictly required. 4. Monitor System Logs and Files Look for unusual indicators of compromise (IoCs), such as: Unexpected reboots or high CPU spikes. Unknown scripts in /system script . Unfamiliar scheduler tasks in /system scheduler . An attacker sends a specially crafted LOGIN_REQUEST packet
Here is an analysis of the vulnerability and the specific "interesting feature" that made it possible. MikroTik released version 6