Security researchers from TeamT5 discovered this exploit being used in the wild by the threat actor group (also known as BlackTech or PLEAD). The group primarily targeted governmental entities and telecommunication industries in East Asia and the United States. Exploitation Mechanics
MikroTik released patches for this vulnerability on . To secure your device, follow these steps: mikrotik 64710 exploit
The attacker sends a request to the WinBox port (8291) asking for the file /../root/sys rw/user.dat . To secure your device, follow these steps: The
Hijacked MikroTik routers are prime nodes for services like 802.1x proxy botnets . Attackers sell access to these routers for $5–$50 per node, allowing other criminals to route their attacks through legitimate ISP IP addresses. : Buffer overflows in SMB and FTP requests
: Buffer overflows in SMB and FTP requests that can cause a Denial of Service (DoS). The "FOISted" Exploit & Public Disclosure
To craft and send an exploit request, you can use a tool like curl or a vulnerability scanner. A proof-of-concept (PoC) exploit is available publicly, but we won't share it here to prevent misuse.
Unlike many router vulnerabilities that drop you into a restricted shell (e.g., /bin/ash with no privileges), the WinBox service runs with high integrity levels. Successful exploitation of 64710 grants the attacker the equivalent of the system user. From here, the attacker can: