Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

CVE-2018-5951: MikroTik RouterOS Denial of Service Vulnerability

Vulnerability Summary

A vulnerability in MikroTik RouterOS allows an unauthenticated remote attacker to force a router to reboot. This is done by sending a packet of the size of 1 byte to RouterOS's IPv6 address using IP proto 97. All versions of RouterOS with EoIPv6 support are likely vulnerable to this attack. This attack required target system to have IPv6 enabled and had at least one tunnel interface present.

Attack Vector

  • IPv6 is enabled on the target system.
  • No IPv6 filter rule blocking INPUT of IP proto 97.
  • At least one tunnel interface present in the target system. (tunnel type does not matter)

Vulnerability Overview

EoIPv6 (Ethernet over IPv6) are MikroTik RouterOS's Layer 2 tunneling protocol. The EoIPv6 protocol encapsulates Ethernet frames in a modified EtherIP (IP proto 97) packets.

MikroTik's implement of EoIPv6 uses 12 reserved bits of EtherIP to store tunnel ID. MikroTik also swapped the first 4 bits and the second 4 bits of the EtherIP header.

To retrieve tunnel ID and validate the packet, RouterOS will swap bits as described above on packets received on proto 97. The process happens as long as there are tunnel interfaces present in the system (even if it is disabled). RouterOS does not check the payload size during the process. So a one byte packet on proto 97 will break it (since the rest of bits required to build the tunnel ID are missing).

Proof of Concept

On RouterOS, add an IPv6:

/ipv6 address add interface=ether1 address=fd00::1/64 advertise=no

And a tunnel (any type):

/interface ipip add remote-address=

Run the exploit (exploit.c in repo):

./exploit fd00::1

RouterOS will reboot itself in a few seconds after the exploit. The following logs can be seen after reboot:

jan/20/2018 10:28:36 system,error,critical router was rebooted without proper shutdown

Tested Versions

RouterOS 6.39.3 (Bugfix only), 6.41 (Current) and 6.42rc11 (Release candidate) are tested, and all of them are vulnerable to this attack at the time of writing. This vulnerability is likely to present in the older versions of RouterOS with EoIPv6 support as well.


See this thread on MikroTik forum.


MikroTik RouterOS Denial of Service Vulnerability






No releases published


No packages published