CVE-2025-42611 (GCVE-0-2025-42611)

Vulnerability from cvelistv5 – Published: 2026-05-05 10:58 – Updated: 2026-05-05 12:49
VLAI?
Title
Improper certificate validation in multiple RouterOS services
Summary
RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others.
Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE
  • CWE-295 - Improper certificate validation
Assigner
References
https://www.cert.si/en/cve-2025-42611/ third-party-advisorygovernment-resource
Impacted products
Vendor Product Version
Mikrotik RouterOS Affected: 0 , ≤ 7.20.x (semver)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-42611",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T12:38:09.152163Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T12:49:47.495Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "RouterOS",
          "vendor": "Mikrotik",
          "versions": [
            {
              "lessThanOrEqual": "7.20.x",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eRouterOS provides various services that rely on correct\nverification of client and server certificates to secure confidentiality and\nintegrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),\namong others.\u003c/p\u003e\u003cp\u003eThe vulnerability lies in shared certificate validation\nlogic which uses the system certificate store that is shared and equally\ntrusted by all system services. This causes confusion of scope, allowing any\ncertificate authority present in the system-wide trust store to be trusted in\nany context (with some exceptions), allowing partial or full authentication\nbypass in CAPsMAN, OpenVPN, Dot1X and potentially others. \u003c/p\u003e\n\n\n\n\n\n\u003cbr\u003e"
            }
          ],
          "value": "RouterOS provides various services that rely on correct\nverification of client and server certificates to secure confidentiality and\nintegrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),\namong others.\n\n\n\nThe vulnerability lies in shared certificate validation\nlogic which uses the system certificate store that is shared and equally\ntrusted by all system services. This causes confusion of scope, allowing any\ncertificate authority present in the system-wide trust store to be trusted in\nany context (with some exceptions), allowing partial or full authentication\nbypass in CAPsMAN, OpenVPN, Dot1X and potentially others."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-115",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-115 Authentication Bypass"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper certificate validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T10:58:36.937Z",
        "orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
        "shortName": "ENISA"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory",
            "government-resource"
          ],
          "url": "https://www.cert.si/en/cve-2025-42611/"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Improper certificate validation in multiple RouterOS services",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
    "assignerShortName": "ENISA",
    "cveId": "CVE-2025-42611",
    "datePublished": "2026-05-05T10:58:36.937Z",
    "dateReserved": "2025-04-16T12:34:02.865Z",
    "dateUpdated": "2026-05-05T12:49:47.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-42611",
      "date": "2026-05-06",
      "epss": "7e-05",
      "percentile": "0.00684"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-42611\",\"sourceIdentifier\":\"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\",\"published\":\"2026-05-05T11:16:31.827\",\"lastModified\":\"2026-05-05T11:16:31.827\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"RouterOS provides various services that rely on correct\\nverification of client and server certificates to secure confidentiality and\\nintegrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),\\namong others.\\n\\n\\n\\nThe vulnerability lies in shared certificate validation\\nlogic which uses the system certificate store that is shared and equally\\ntrusted by all system services. This causes confusion of scope, allowing any\\ncertificate authority present in the system-wide trust store to be trusted in\\nany context (with some exceptions), allowing partial or full authentication\\nbypass in CAPsMAN, OpenVPN, Dot1X and potentially others.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"weaknesses\":[{\"source\":\"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-295\"}]}],\"references\":[{\"url\":\"https://www.cert.si/en/cve-2025-42611/\",\"source\":\"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-42611\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-05T12:38:09.152163Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-05T12:38:13.937Z\"}}], \"cna\": {\"title\": \"Improper certificate validation in multiple RouterOS services\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"impacts\": [{\"capecId\": \"CAPEC-115\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-115 Authentication Bypass\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Mikrotik\", \"product\": \"RouterOS\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"7.20.x\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.cert.si/en/cve-2025-42611/\", \"tags\": [\"third-party-advisory\", \"government-resource\"]}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.2\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"RouterOS provides various services that rely on correct\\nverification of client and server certificates to secure confidentiality and\\nintegrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),\\namong others.\\n\\n\\n\\nThe vulnerability lies in shared certificate validation\\nlogic which uses the system certificate store that is shared and equally\\ntrusted by all system services. This causes confusion of scope, allowing any\\ncertificate authority present in the system-wide trust store to be trusted in\\nany context (with some exceptions), allowing partial or full authentication\\nbypass in CAPsMAN, OpenVPN, Dot1X and potentially others.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eRouterOS provides various services that rely on correct\\nverification of client and server certificates to secure confidentiality and\\nintegrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),\\namong others.\u003c/p\u003e\u003cp\u003eThe vulnerability lies in shared certificate validation\\nlogic which uses the system certificate store that is shared and equally\\ntrusted by all system services. This causes confusion of scope, allowing any\\ncertificate authority present in the system-wide trust store to be trusted in\\nany context (with some exceptions), allowing partial or full authentication\\nbypass in CAPsMAN, OpenVPN, Dot1X and potentially others. \u003c/p\u003e\\n\\n\\n\\n\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-295\", \"description\": \"CWE-295 Improper certificate validation\"}]}], \"providerMetadata\": {\"orgId\": \"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\", \"shortName\": \"ENISA\", \"dateUpdated\": \"2026-05-05T10:58:36.937Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-42611\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-05T12:49:47.495Z\", \"dateReserved\": \"2025-04-16T12:34:02.865Z\", \"assignerOrgId\": \"a6d3dc9e-0591-4a13-bce7-0f5b31ff6158\", \"datePublished\": \"2026-05-05T10:58:36.937Z\", \"assignerShortName\": \"ENISA\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.