ASA-2020-00001 – MikroTik WinBox: Path traversal vulnerability in the parameter name from the list of files

Allele Security Alert



ASA-2020-00001, CVE-2020-5720, TRA-2020-07


Path traversal vulnerability in the parameter name from the list of files




MikroTik WinBox

Affected version(s)

MikroTik WinBox before version 3.21

Fixed version(s)

MikroTik WinBox version 3.21

Proof of concept



MikroTik WinBox before 3.21 is vulnerable to a path traversal issue that allows an attacker to write files anywhere on the system where WinBox has write privileges.

Technical details

When WinBox connects to a router, it downloads the list file from /home/web/webfig/. This file contains a list of files that WinBox should download in order to obtain package descriptions. WinBox downloads these files and stores them on the client’s system within the MikroTik roaming directory:

C:\Users [username]\AppData\Roaming\Mikrotik\Winbox.

The name of the created files come directly from the downloaded list file. For example, this is a line from list:

{ crc: 164562873, size: 1149, name: "advtool.jg", unique: "advtool-fc1932f6809e.jg", version: "6.39.3" }

WinBox will use the name “advtool.jg” as the filename in the roaming directory. However, WinBox doesn’t do any type of checking for directory traversal on these files. So if presented with:

{ crc: 164562873, size: 1149, name: "../../../../../../../Users/Public/lol.txt", unique: "advtool-fc1932f6809e.jg", version: "6.39.3" }

Then WinBox would create the file C:\Users\Public\lol.txt and fill it with contents provided by the attacker.

An attacker can exploit this bug by getting a victim to connect to a malicious MikroTik router, a fake router (see the PoC for CVE-2019-3981), or via a man in the middle attack. The attacker can then perform the downgrade attack described in TRA-2020-01. The client will then try to download the files from the attacker.


Jacob Baines (Tenable Research)


MikroTik WinBox Path Traversal

Winbox v3.21 released!

MikroTik WinBox Man-in-the-Middle Password Hash Disclosure



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 7, 2020

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.