CVE-2020-5721
First published: Wed Apr 15 2020(Updated: )
MikroTik WinBox 3.22 and below stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set. Keep Password is set by default and, by default Master Password is not set. An attacker with access to the configuration file can extract a username and password to gain access to the router.
Credit: vulnreport@tenable.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| MikroTik Winbox | <=3.22 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-5721.
What is the severity of CVE-2020-5721?
The severity of CVE-2020-5721 is medium with a score of 5.5.
What is the affected software?
The affected software is MikroTik WinBox version 3.22 and below.
How does CVE-2020-5721 store user passwords?
CVE-2020-5721 stores the user's cleartext password in the settings.cfg.viw configuration file when the Keep Password field is set and no Master Password is set.
Is there a fix for CVE-2020-5721?
Yes, updating MikroTik WinBox to a version above 3.22 will fix CVE-2020-5721 vulnerability.
- collector/nvd-index
- agent/severity
- agent/references
- agent/author
- vendor/mikrotik
- canonical/mikrotik winbox
- version/mikrotik winbox/3.22