Vulnerability Details : CVE-2020-5721
Potential exploit
MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router.
Products affected by CVE-2020-5721
- cpe:2.3:o:mikrotik:winbox:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-5721
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 20 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-5721
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2020-5721
-
The product stores a password in a configuration file that might be accessible to actors who do not know the password.Assigned by: vulnreport@tenable.com (Secondary)
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-5721
-
https://www.tenable.com/security/research/tra-2020-23
MikroTik WinBox Cleartext Password Storage - Research Advisory | TenableĀ®Exploit;Third Party Advisory
Jump to