Description
RouterOS provides various services that rely on correct
verification of client and server certificates to secure confidentiality and
integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X),
among others.



The vulnerability lies in shared certificate validation
logic which uses the system certificate store that is shared and equally
trusted by all system services. This causes confusion of scope, allowing any
certificate authority present in the system-wide trust store to be trusted in
any context (with some exceptions), allowing partial or full authentication
bypass in CAPsMAN, OpenVPN, Dot1X and potentially others.
Published: 2026-05-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in RouterOS’s shared certificate validation logic, which consults the system‑wide trust store. Any certificate authority present in that store is accepted by all services that rely on it, including OpenVPN, CAPsMAN, and Dot1X. This creates a trust‑store bypass, allowing an attacker who can introduce a CA to the router to perform authentication bypass and potentially control VPN tunnels or wireless management, thereby compromising confidentiality, integrity, and availability of network communications. The vulnerability is identified as CWE-295.

Affected Systems

The affected product is Mikrotik RouterOS. All services that depend on certificate validation—such as OpenVPN, CAPsMAN, and Dot1X—are vulnerable whenever a trusted CA is present in the system certificate store. The advisory does not specify affected firmware versions, implying the issue exists in all current releases that use the shared validation logic.

Risk and Exploitability

The CVSS score of 6.5 indicates a medium‑severity flaw. EPSS information is unavailable, and the vulnerability is not listed in CISA KEV. The primary risk is that an attacker who can add a CA to the system trust store can bypass authentication checks in multiple critical services. While the specific attack vector (e.g., local configuration access or remote certificate upload) is not detailed in the advisory, the presence of the flaw suggests that controlling the trust store would enable successful exploitation. The impact is significant because it undermines the primary authentication mechanisms for several core RouterOS services.

Generated by OpenCVE AI on May 5, 2026 at 13:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade RouterOS to the latest firmware that addresses certificate validation issues
  • Remove any unnecessary trusted certificate authorities from the system trust store and restrict future additions to only the CAs required for operation
  • If an update cannot be applied immediately, disable or tightly restrict services that rely on certificate validation—such as CAPsMAN, OpenVPN, and Dot1X—until a patch is available

Generated by OpenCVE AI on May 5, 2026 at 13:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.cert.si/en/cve-2025-42611/ cve-icon cve-icon
History

Tue, 05 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mikrotik
Mikrotik routeros
Vendors & Products Mikrotik
Mikrotik routeros

Tue, 05 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 11:15:00 +0000

Type Values Removed Values Added
Description RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, Dot1x (802.1X), among others. The vulnerability lies in shared certificate validation logic which uses the system certificate store that is shared and equally trusted by all system services. This causes confusion of scope, allowing any certificate authority present in the system-wide trust store to be trusted in any context (with some exceptions), allowing partial or full authentication bypass in CAPsMAN, OpenVPN, Dot1X and potentially others.
Title Improper certificate validation in multiple RouterOS services
Weaknesses CWE-295
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Mikrotik Routeros
cve-icon MITRE

Status: PUBLISHED

Assigner: ENISA

Published:

Updated: 2026-05-05T12:49:47.495Z

Reserved: 2025-04-16T12:34:02.865Z

Link: CVE-2025-42611

cve-icon Vulnrichment

Updated: 2026-05-05T12:38:13.937Z

cve-icon NVD

Status : Received

Published: 2026-05-05T11:16:31.827

Modified: 2026-05-05T11:16:31.827

Link: CVE-2025-42611

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T15:00:16Z

Weaknesses