CVE-2025-10948HIGH 8.8EPSS p48.8%

CVE-2025-10948CVE-2025-10948

Description

A vulnerability has been found in MikroTik RouterOS 7. This affects the function parse_json_element of the file /rest/ip/address/print of the component libjson.so. The manipulation leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 7.20.1 and 7.21beta2 mitigates this issue. You should upgrade the affected component. The vendor replied: "Our bug tracker reports that your issue has been fixed. This means that we plan to release a RouterOS update with this fix. Make sure to upgrade to the next release when it comes out."

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.71% probability of exploitation · percentile 48.8% · 2026-06-18T12:00:27Z
Published2025-09-25
Last modified2026-04-15

Underlying weaknesses· 2

CWE-119CWE-120

References

  1. https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc
  2. https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc#technical-proof-of-concept
  3. https://vuldb.com/?ctiid.325818
  4. https://vuldb.com/?id.325818
  5. https://vuldb.com/?submit.652387
  6. https://github.com/a2ure123/libjson-unicode-buffer-overflow-poc

2

TypeTargetConfidenceTier
WeaknessImproper Restriction of Operations within the Bounds of a Memory Buffercwe-1190%live
WeaknessBuffer Copy without Checking Size of Input ('Classic Buffer Overflow')cwe-1200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
CVE
CVE-2025-8170
CVE
CVE-2025-7913
CVE
CVE-2025-7912
CVE
CVE-2025-61481
CVE
CVE-2025-7837
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.