MikroTik RouterOS 6.49.8 SCEP Endpoint Vulnerability (CVE-2026-7668)

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityout-of-bounds-1cwe-119cwe-125
MikroTik RouterOS 6.49.8 SCEP Endpoint Vulnerability (CVE-2026-7668)

The National Vulnerability Database has disclosed CVE-2026-7668, a high-severity (CVSS 7.3) out-of-bounds read vulnerability impacting MikroTik RouterOS 6.49.8. Specifically, the flaw resides in the ASN1_STRING_data function within the SCEP Endpoint component, located in nova/lib/www/scep.p.

Attackers can trigger this vulnerability remotely by manipulating the transactionID or messageType arguments. The critical concern here is that an exploit for this flaw is already publicly available, significantly lowering the bar for attackers. MikroTik reportedly did not respond to early disclosure attempts, leaving defenders in a precarious position.

This vulnerability presents a clear and present danger to organizations using affected MikroTik devices. An out-of-bounds read can lead to information disclosure or, in some cases, remote code execution, giving attackers a foothold into network infrastructure. The public exploit availability means active exploitation is highly probable, demanding immediate attention from network administrators.

What This Means For You

  • If your organization uses MikroTik RouterOS 6.49.8, you are directly exposed. This isn't theoretical; a public exploit exists. You need to immediately identify all MikroTik devices running this specific version, isolate them, and monitor for any vendor-issued patches or workarounds. Prioritize this vulnerability as if it were actively exploited on your network, because it very well could be.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

MikroTik RouterOS SCEP Endpoint Out-of-Bounds Read - CVE-2026-7668

Sigma YAML — free preview 
title: MikroTik RouterOS SCEP Endpoint Out-of-Bounds Read - CVE-2026-7668
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2026-7668 by targeting the SCEP endpoint in MikroTik RouterOS. The vulnerability lies in the ASN1_STRING_data function within nova/lib/www/scep.p, which can be triggered by manipulating the 'transactionID' and 'messageType' parameters in SCEP requests, leading to an out-of-bounds read. This rule specifically looks for requests to '/scep.p' containing these vulnerable parameters.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7668/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/scep.p'
      cs-uri-query|contains:
          - 'transactionID='
          - 'messageType='
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7668 Information Disclosure MikroTik RouterOS version 6.49.8
CVE-2026-7668 Memory Corruption Function ASN1_STRING_data in nova/lib/www/scep.p (SCEP Endpoint component)
CVE-2026-7668 Out-of-bounds Read Manipulation of argument transactionID/messageType

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 03, 2026 at 00:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7672 — Youlaitech Youlai-Boot SQL Injection

CVE-2026-7672 — A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

Jinher OA 1.0 SQL Injection (CVE-2026-7670) Exposes Data Remotely

CVE-2026-7670 — A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-7669 — Sgl-Project SGLang Insecure Deserialization

CVE-2026-7669 — A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace...

vulnerabilityCVEmedium-severityinsecure-deserializationcwe-20cwe-502
/SCW Vulnerability Desk /MEDIUM /5.6 /⚑ 3 IOCs /⚙ 2 Sigma