MikroTik RouterOS SMB DoS Flaw CVE-2024-27686 Lets Remote Attackers

Executive Summary

A publicly disclosed denial-of-service vulnerability in MikroTik RouterOS, tracked as CVE-2024-27686 (CVSS 7.5), allows unauthenticated remote attackers to crash affected devices by sending a specially crafted packet to the SMB service on TCP port 445. The flaw impacts MikroTik RouterOS x86 builds from version 6.40.5 through 6.49.10. MikroTik addressed the issue in RouterOS version 7, but no standalone patch for the 6.x branch has been released. A proof-of-concept exploit has been published on GitHub by researcher ice-wzl, raising the risk of in-the-wild scanning.

Technical Analysis

CVE-2024-27686 resides in the SMB server implementation within MikroTik RouterOS for x86 architectures. The SMB service listens on TCP port 445 by default and processes incoming session requests. According to the vulnerability disclosure and accompanying proof-of-concept code published on GitHub, sending a malformed packet with specific crafted fields triggers an unhandled exception in the SMB parsing routine, causing the entire operating system to crash and reboot.

The vulnerability requires no authentication — any remote host that can reach port 445 on the target RouterOS device can trigger the denial of service. The crash results in a full device reset, disrupting routing, firewall, VPN, and all other services running on the affected router. Repeated exploitation could lead to sustained denial of service.

The affected version range — 6.40.5 through 6.49.10 — covers several years of stable releases in the RouterOS 6.x line. MikroTik has not backported a fix to the 6.x branch; the company considers RouterOS 7 the upgrade path. This leaves a large installed base of devices running 6.x exposed unless operators manually disable or firewall the SMB service.

Researcher ice-wzl published the proof-of-concept code on GitHub under the repository "RouterOS-SMB-DOS-POC." The repository includes a Python script that constructs the malformed SMB packet and sends it to the target. As of this writing, the exploit code is publicly accessible and functional.

Mitigations & Recommendations

Defenders operating MikroTik RouterOS 6.x devices should take the following steps immediately:

• Upgrade to RouterOS 7 if hardware supports it. Version 7 is not affected by this vulnerability and includes additional security improvements.
• Block inbound TCP port 445 at the network perimeter and on internal firewall rules if SMB is not required for management. The SMB service in RouterOS is primarily used for file sharing and Windows network browsing — many deployments do not need it exposed.
• Restrict SMB access by source IP using RouterOS firewall rules if the service is necessary. Limit connections to trusted management hosts only.
• Monitor for unexpected reboots or SMB-related log entries that may indicate exploitation attempts.

For devices that cannot be upgraded to RouterOS 7, disabling the SMB service entirely is the most effective mitigation. This can be done via the RouterOS CLI or WinBox interface by stopping the smb service. Note that disabling SMB will break any legitimate file-sharing functions that depend on it.