An issue in MikroTik RouterOS v.7.14.2 and SwOS v.2.18 exposes the WebFig management interface over cleartext HTTP by default, allowing an on-path attacker to execute injected JavaScript in the administrator’s browser and intercept credentials.
The WebFig interface, used to manage MikroTik devices through a web browser, by default operates on the unencrypted HTTP protocol instead of HTTPS. An attacker positioned on the communication path (on-path attacker, e.g., on the same LAN or routing path) can intercept traffic in plaintext. The lack of encryption enables both passive eavesdropping of transmission (theft of login credentials) and active injection of malicious JavaScript code into the HTTP server response, which will then be executed in the authenticated administrator's browser.
An attacker can intercept administrator credentials of the MikroTik device and execute arbitrary JavaScript code in the administrator's browser (XSS), which in practice means the possibility of taking full control of the network device and potentially the entire managed infrastructure.
Patches available from the manufacturer should be applied according to references. Until updates are deployed, it is recommended to: disable access to the WebFig interface over HTTP and enforce HTTPS (if available), restrict access to the management interface exclusively to trusted IP addresses using a firewall, and use alternative encrypted management methods (e.g., SSH, Winbox over VPN).
MikroTik RouterOS v.7.14.2 and MikroTik SwOS v.2.18 — devices with WebFig interface enabled by default and accessible over HTTP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L