https://blog.mikrotik.com/security/cve-2023-30799.html
In short - very low risk issue.
A trivializing sentence at the end.In short, a RouterOS admin with full rights can already do anything in RouterOS and has full control over all configuration, but should not be able to run other code or inject other files in the subsystem of RouterOS.
As someone working for Mikrotik, you should not play this down.In short - very low risk issue.
I'm not sure about that. I've been following `curl` maintainer's sage with MITRE — conclusion was "panic by default": https://daniel.haxx.se/blog/2023/09/05/ ... ollow-ups/That would likely end the constant search of "vulnerabilities" to get that access.
Could you not integrate a feature into RouterOS, to check that the subsystem has not been manipulated?You don't need any CVE for that. Please re-read the original post.
In theory you could even take the router apart and re-solder some chips on it. What is the point calling such situations "vulnerabilities"? If your device has full admin access to malicious parties, ALL IS LOST already