Samba client code (libsmbclient) returns server-supplied filenames to calling code without checking for pathname separators (such as "/" or"../") in the server returned names. A malicious server can craft a pathname containing separators and return this to client code, causing the client to use this access local pathnames for reading or writing instead of SMB network pathnames. This access is done using the local privileges of the client. This attack can be achieved using any of SMB1/2/3 as it is not reliant on any specific SMB protocol version.
RouterOS 6.45.6 Stable, RouterOS 6.44.5 Long-term, and below are vulnerable to an arbitrary directory creation vulnerability via the upgrade package's name field. If an authenticated user installs a malicious package then a directory could be created and the developer shell could be enabled.