Cross-Site Scripting Vulnerability in MikroTik RouterOS
CVE-2025-6563

4.8MEDIUM

Key Information:

Vendor

Mikrotik

Status
Routeros
Vendor
CVE Published:
3 July 2025

What is CVE-2025-6563?

A cross-site scripting vulnerability exists in MikroTik's RouterOS versions prior to 7.19.2. This flaw allows attackers to inject malicious JavaScript into the dst parameter, which can be exploited when a victim accesses a crafted URL. Upon logging in, the crafted payload executes, potentially compromising user accounts. The vulnerability leverages the ability to modify a POST login request into a GET request, enabling attackers to create URLs that auto-login victims to their accounts while executing harmful scripts.

Affected Version(s)

RouterOS 0 < 7.19.2

References

https://www.toreon.com/how-a-ski-trip-led-to-a-cve-in-a-w...

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-6563 : Cross-Site Scripting Vulnerability in MikroTik RouterOS