CVE-2025-6563

Vulnerability

Description

The hotspot login page of MikroTik RouterOS versions before 7.19.2 contains a reflected cross-site scripting (XSS) vulnerability in the dst parameter [1]. When a user submits credentials, a POST request is sent including the dst value, and after successful authentication the browser is redirected to the URL specified in that parameter. The input is not properly sanitized, so an attacker can supply a value like javascript:alert(1) instead of a legitimate URL, causing script execution in the victim's browser [1].

Exploitation

Vector

An attacker can craft a URL such as https:///login?dst=javascript:... and lure a victim into visiting it [1]. When the victim enters their credentials and logs in, the malicious dst value is stored in a hidden form field and later used for the redirect, triggering the XSS. Moreover, the login endpoint also accepts GET requests; an attacker can construct a URL that automatically logs the victim into the attacker's hotspot account (by including valid credentials) and simultaneously executes the malicious payload, removing the need for the victim to manually authenticate [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the hotspot login page. This can be used to steal session cookies, intercept login credentials, perform actions on behalf of the victim, or redirect the user to phishing pages [1]. The attack does not require an authenticated session on the router; it only requires the victim to be on the same network and to visit a crafted link.

Mitigation

MikroTik has addressed the vulnerability in RouterOS version 7.19.2 [1]. Users should update their routers to the latest stable release to eliminate the XSS flaw. As a workaround, network administrators can disable the hotspot feature if it is not needed, or restrict access to the login page via firewall rules [1].