PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7668 MikroTik CVE debrief

A medium-severity out-of-bounds read vulnerability exists in MikroTik RouterOS 6.49.8 within the SCEP Endpoint component. The flaw resides in the ASN1_STRING_data function in nova/lib/www/scep.p, where manipulation of the transactionID or messageType arguments can trigger memory access beyond allocated bounds. The attack vector is network-accessible and requires no authentication, though the CVSS 4.0 vector indicates low impacts to confidentiality, integrity, and availability. The vulnerability was published on 2026-05-02 and last modified on 2026-05-20. Public exploit availability is noted in source metadata. The vendor has confirmed remediation in current v6.x and v7.x releases.

Vendor
MikroTik
Product
RouterOS
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-02
Original CVE updated
2026-05-20
Advisory published
2026-05-02
Advisory updated
2026-05-20

Who should care

Network administrators managing MikroTik RouterOS deployments with SCEP functionality enabled; security teams tracking publicly exploitable infrastructure vulnerabilities; organizations with remote-accessible certificate enrollment endpoints.

Technical summary

The vulnerability is an out-of-bounds read (CWE-125/CWE-119) in the ASN1_STRING_data function handling SCEP protocol data. Affected versions: RouterOS 6.49.8. Attack complexity is low, no privileges required, no user interaction needed. Public exploits exist. Vendor fix available in current release branches.

Defensive priority

medium

Recommended defensive actions

  • Upgrade MikroTik RouterOS to the latest v6.x or v7.x version as recommended by the vendor
  • Review SCEP endpoint exposure and restrict network access where unnecessary
  • Monitor for anomalous SCEP traffic patterns targeting transactionID or messageType fields
  • Validate firmware integrity after upgrade via vendor-signed packages

Evidence notes

Vulnerability disclosed via VulDB with NVD entry. Vendor acknowledgment present in description. Exploit existence flagged in CVSS 4.0 vector (E:P). CPE criteria not populated in source; vendor identification marked low-confidence requiring review.

Official resources

public