CVE-2023-47310
BaseFortify
Publication date: 2025-06-30
Last updated on: 2025-06-30
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1174 | The ASP.NET application does not use, or incorrectly uses, the model validation framework. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in MikroTik RouterOS versions prior to 7.14 is due to a misconfiguration in the default IPv6 firewall rules. The firewall allowed incoming UDP packets with source ports in the range 33434-33534 (used for UDP traceroute) to bypass firewall filtering because the rule matched on source port instead of destination port. An attacker could exploit this by crafting IPv6 UDP packets with a source port in this range, causing the packets to be accepted unconditionally and bypass the firewall. [1]
How can this vulnerability impact me? :
This vulnerability can expose all UDP services running on the affected MikroTik device, such as CAPsMAN, DNS, container services, and others, to potential unauthorized access. Attackers could exploit this flaw to bypass firewall protections and gain access to these services, potentially leading to unauthorized control, data exposure, or disruption of network services. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the IPv6 firewall filter rules on your MikroTik RouterOS device to see if there is a rule in the input chain that accepts UDP packets based on source ports 33434-33534. Use the following command to list the relevant firewall rules: /ipv6 firewall filter print where chain=input and protocol=udp and port=33434-33534 If such a rule exists with 'port' matching source ports, the device is vulnerable. Additionally, monitoring incoming IPv6 UDP traceroute packets with source ports in this range can indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update your MikroTik RouterOS to version 7.14 or later where the fix is applied. If updating is not immediately possible, manually modify your IPv6 firewall filter rules to change the UDP traceroute acceptance rule to match on destination ports instead of source ports. Specifically, replace the rule: /ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp with: /ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp This change prevents crafted packets from bypassing the firewall and protects UDP services from unauthorized access. [1]