Information for MikroTik router owners about recent spam-related compromises involving outdated firmware and default credentials.
You may have seen recent reports about a network of approximately 13,000 MikroTik routers being compromised and used to send spam emails. We want to provide clarity on what happened and simple steps to ensure your devices are secure.
What Happened:
Security researchers discovered that attackers exploited MikroTik routers running outdated firmware to enable a SOCKS proxy feature, turning the routers into relay points for spam email. The compromised routers were then used to send emails that appeared to come from legitimate domains by exploiting misconfigured DNS (SPF) records. This was NOT a flaw in current MikroTik firmware — it targeted devices that had not been updated and were using default credentials.
Am I Affected?
Your router is likely safe if you have:
- Updated to the latest RouterOS firmware
- Changed the default admin password
- Disabled unnecessary services (especially SOCKS proxy)
Recommended Actions:
- Update RouterOS — Log into your router at its IP address, go to System → Packages → Check for Updates. Install the latest stable release.
- Change default credentials — If you're still using "admin" with no password, change it immediately under System → Users.
- Disable SOCKS proxy — Go to IP → SOCKS and ensure it is disabled (it is off by default).
- Review firewall rules — Ensure management ports (8291/Winbox, 80/443/Web, 22/SSH) are not exposed to the public internet. Restrict access to trusted IPs only.
- Check for unknown scripts — Go to System → Scripts and System → Scheduler. Remove any entries you did not create.
Resources:
- MikroTik security advisory: https://blog.mikrotik.com/security/
- Latest firmware downloads: https://mikrotik.com/download
If you need assistance verifying your configuration or updating firmware, our support team is happy to help.