MikroTik, a networking equipment company, has released a patch for a serious vulnerability in its RouterOS software. The vulnerability, CVE-2023-32154, affects devices running RouterOS v6.xx and v7.xx with IPv6 advertisement receiver enabled. According to the Trend Micro Zero Day Initiative (ZDI), exploitation of this vulnerability does not require authentication and can result in out-of-bounds writes, allowing remote attackers to execute arbitrary code on vulnerable devices. ZDI reported the bug to MikroTik during the Pwn2Own Toronto hacking competition in December 2020, and contacted the company again with questions about the patch in May 2021. As a result, ZDI redisclosed the report at the request of the manufacturer and gave the company an additional week to issue fixes. MikroTik has now confirmed that the bug was exploited five months ago at the Pwn2Own Toronto hacking competition, and that the company was unable to find a record of the December disclosure of information from ZDI.
