The CVE-2023-32154 hole affects devices running MikroTik RouterOS versions v6.xx and v7.xx with enabled IPv6 advertisement receiver capability, according to a barebones advisory from Mikrotik. The vulnerability reportedly enables network-adjacent attackers to execute arbitrary code on vulnerable installations of Mikrotik RouterOS, according to ZDI, organisers of the Pwn2Own software exploitation event.
ZDI issued a warning in an advisory, saying that “Authentication is not required to exploit this vulnerability.” “The Router Advertisement Daemon is affected by the specific issue. Because user-supplied data is not properly validated, it may be written past the end of a buffer that has been allotted, which causes the problem. The company stated that a hacker might use this vulnerability to execute programmes as root.