CVE Vulnerabilities

CVE-2024-54772

Observable Timing Discrepancy

Published: Feb 11, 2025 | Modified: Jun 30, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
root.io minimus.io echohq.com

An issue was discovered in the Winbox service of MikroTik RouterOS long-term release v6.43.13 through v6.49.13 and stable v6.43 through v7.17.2. A patch is available in the stable release v6.49.18. A discrepancy in response size between connection attempts made with a valid username and those with an invalid username allows attackers to enumerate for valid accounts.

Weakness

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Affected Software

Name Vendor Start Version End Version
Routeros Mikrotik 6.43 (including) 6.49.18 (excluding)
Routeros Mikrotik 6.43.13 (including) 6.49.13 (including)
Routeros Mikrotik 7.1 (including) 7.18 (excluding)

References