How to remediate – MikroTik Neighbor Discovery Protocol Detection

Contents

1. Introduction

The MikroTik Neighbor Discovery Protocol Detection vulnerability indicates a service listening on a port used for discovering devices within a Layer 2 broadcast domain. This allows attackers to identify MikroTik devices on the network, potentially leading to further reconnaissance and exploitation attempts. Systems affected are typically those running RouterOS, particularly those with the MNDP feature enabled. A successful exploit could compromise confidentiality, integrity, and availability of the device and connected network segments.

2. Technical Explanation

The vulnerability arises from the presence of a listening service supporting MikroTik Neighbor Discovery Protocol (MNDP). This protocol is used by MikroTik routers to locate other devices on the local network segment. An attacker can use this to enumerate devices running RouterOS, which could then be targeted for further attacks. There is no specific CVE associated with simply having the service enabled; however, it increases the attack surface. An example scenario involves an attacker using a tool like Nmap to identify MikroTik routers on a network by scanning for the MNDP port.

Root cause: The MNDP service listens for discovery requests without strict access controls.
Exploit mechanism: An attacker sends discovery packets to enumerate devices, then attempts known RouterOS exploits against identified targets.
Scope: MikroTik RouterOS devices with the Neighbor Discovery Protocol enabled are affected.

3. Detection and Assessment

Confirming vulnerability involves checking for the listening MNDP service on your network. A quick check can be performed using port scanning, while a thorough method requires examining RouterOS configuration.

Quick checks: Use Nmap to scan for UDP port 7000.
Scanning: Nessus plugin ID 138695 may identify the service. This is an example only and should be verified.
Logs and evidence: RouterOS logs do not typically record MNDP activity directly, so detection relies on identifying the listening port.

nmap -sU -p 7000

4. Solution / Remediation Steps

The recommended solution is to disable the Neighbor Discovery Protocol if it’s not required. If needed, restrict access using firewall rules.

4.1 Preparation

Dependencies: None. Roll back plan: Re-enable the Neighbor Discovery Protocol in RouterOS if issues arise.
Change window: Consider scheduling during off-peak hours. Approval from a senior network administrator is recommended.

4.2 Implementation

Step 1: Disable MNDP using the following command: /ip neighbor discovery disable.
Step 2: Verify that the service is disabled (see verification steps below).

4.3 Config or Code Example

Before

/ip neighbor discovery print
Flags: X = disabled, I = enabled
0     enabled=yes ...

After

/ip neighbor discovery print
Flags: X = disabled, I = enabled
0     enabled=no ...

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help mitigate this vulnerability type.

Practice 1: Least privilege – only enable services that are absolutely necessary.
Practice 2: Network segmentation – isolate critical systems from untrusted networks.

4.5 Automation (Optional)

# Example script for disabling MNDP via SSH using RouterOS API
/tool fetch url="https://your_router_ip/restapi/command/disable-mndp" mode=http user="your_user" password="your_password"

5. Verification / Validation

Confirm the fix by checking that the MNDP service is no longer listening on port 7000.

Post-fix check: Run nmap -sU -p 7000 . The scan should not show port 7000 open.
Re-test: Re-run the initial Nmap scan to confirm that the service is disabled.
Monitoring: Monitor RouterOS logs for unexpected activity related to neighbor discovery.

nmap -sU -p 7000 
PORT     STATE    SERVICE
7000/udp filtered   unknown

6. Preventive Measures and Monitoring

Update security baselines to reflect the recommended configuration for disabling unnecessary services.

Baselines: Update your RouterOS security baseline or policy to include a requirement to disable MNDP unless specifically required.
Pipelines: Implement automated checks in CI/CD pipelines to ensure that new deployments do not enable unnecessary services like MNDP.
Asset and patch process: Review the configuration of all MikroTik devices regularly as part of your asset management process.

7. Risks, Side Effects, and Roll Back

Disabling MNDP may affect certain features that rely on neighbor discovery.

Risk or side effect 1: Disabling MNDP could break functionality if it is used for device discovery within your network.
Risk or side effect 2: None known.
Roll back: Re-enable the Neighbor Discovery Protocol using the command: /ip neighbor discovery enable.

8. References and Resources

Vendor advisory or bulletin: https://wiki.mikrotik.com/wiki/Manual:IP/Neighbor_discovery
NVD or CVE entry: Not applicable (this is a configuration issue, not a specific vulnerability).
Product or platform documentation relevant to the fix: https://help.mikrotik.com/docs/pages/viewpage.aspx?pageId=39850416

Updated on December 27, 2025

Was this article helpful?

Yes No