Mikrotik 64710 Exploit ⚡

The backdoor has been observed in the wild as a part of these advanced persistent threat (APT) campaigns. It serves as a covert channel, allowing attackers to issue commands, deploy additional malware, or pivot to other devices on the network, all while the administrator may remain unaware that their router has been compromised.

The MikroTik RouterOS 6.47 series contains several high-profile vulnerabilities, most notably , which affects the SCEP (Simple Certificate Enrollment Protocol) server and allows for Remote Code Execution (RCE) . Version 6.47.10 was the last stable release in the 6.47.x long-term branch before subsequent patches were moved into the 6.48.x and 7.x trees. 🛡️ Critical Exploit: CVE-2021-41987

The web-based administration interface. API Services (Ports 8728/8729): Automated management ports. 2. The Flaw

In June 2020, a critical vulnerability was discovered in Mikrotik's RouterOS, which is used in their popular network devices. The vulnerability, tracked as CVE-2020-15525, affects Mikrotik RouterOS versions 6.47.10 and earlier. This exploit allows an attacker to potentially execute arbitrary code on the device, gain unauthorized access, and compromise the network.

This vulnerability, which is a , allows for Remote Code Execution (RCE) without authentication, posing a severe risk to network infrastructure. mikrotik 64710 exploit

If you do not use SCEP, WinBox, or SNMP, disable them in /ip service .

Historically, MikroTik's implementation of the SMB protocol inside the RouterOS 6.x ecosystem has been a prime target for fuzzing and exploitation. Related vulnerabilities (such as CVE-2024-27686 and legacy equivalents) demonstrate that enabling file-sharing services on unpatched 6.x architectures like 6.47.10 allows network-adjacent or remote attackers to pass malformed NetBIOS/SMB packets to crash the web/file handling sub-demons, forcing a persistent Denial of Service (DoS) state. Anatomy of a Target: Why Attackers Target Version 6.47.10

MikroTik’s proprietary management GUI.

The exploit targets a vulnerability in the Winbox protocol, a proprietary protocol developed by Mikrotik for managing and configuring their devices. The vulnerability allows an attacker to send a specially crafted packet to the device, which can lead to a buffer overflow and execution of arbitrary code. The backdoor has been observed in the wild

Some older, misconfigured RouterOS versions exposed a management service on TCP port 64710. This was often a side effect of the MikroTik Bandwidth Test Server or misrouted API services. Scanning tools like Shodan occasionally show port 64710 open, leading some to call it "the 64710 exploit." However, that is a configuration issue, not an exploit.

The crafted packet causes the router's process to execute the attacker's code, granting them shell access.

The SCEP server function must be enabled, and typically the attacker needs to know the specific scep_server_name .

WinBox, MikroTik's proprietary graphical administration tool, communicates over port 8291. Versions running around the 6.47.x timeline frequently lacked robust protection against automated credential brute-forcing, credential extraction vectors, or parsing bugs. Version 6

The CVE-2018-14847 vulnerability has severe consequences, including:

This is the most severe vulnerability linked specifically to version 6.47.10. Heap-based buffer overflow.

This vulnerability can affect RouterOS versions up to 6.42 (stable branch) and up to 6.40.7 (long-term branch), which were patched in versions 6.42.1 and 6.40.8 respectively . However, millions of devices on the public internet have not been updated and remain at risk. The flaw exists because the file handler within the Winbox service (which listens on port 8291/TCP by default) does not properly validate authentication for certain requests . An unauthenticated attacker can send a specially crafted packet to this port, bypass authentication checks, and access the router's internal filesystem.