7.21.5 [long-term] is released!

Before an upgrade:

  1. Remember to make backup/export files before an upgrade and save them on another storage device;
  2. Make sure the device will not lose power during upgrade process;
  3. Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.21.5 (2026-Jul-03 13:23):

  • fixed a service security issue, home user with default config not affected, but we recommend the upgrade for all users regardless;
  • bfd - fixed delay on session print;
  • bgp - fixed advertisement print handling by "dst" when destination is in VRF;
  • bgp - fixed IPv6 End-of-Route processing;
  • bgp - improved stability on MP (multiprotocol) parsing;
  • bridge - fixed dynamic VLAN update for wifi interfaces;
  • bridge - fixed stability issue when using DHCPv4 snooping;
  • cloud - cloud backup file management now requires "policy" policy;
  • console - fixed unresponsiveness when entering safe-mode through the Windows 11 terminal;
  • container - fixed missing config.json issue when upgrading from version 7.20.8 or older;
  • disk - avoid reading SCSI stats all the time to allow disks to go to sleep;
  • ethernet - fixed stability issue with TSO on Alpine CPUs;
  • ethernet - improved system stability on devices with Alpine CPUs;
  • ipv6 - do not disable IPv6 FastPath when Traffic Flow is enabled;
  • isis - allow to configure metric-type;
  • isis - fixed missing "l2.lsp-refresh-interval" parameter;
  • l3hw - improved system stability on device shutdown/reboot;
  • lte - fixed cases where EC25-EU and EG25-G boards would receive packets with missing last 4 bytes;
  • lte - fixed crash on LTE passthrough interface deactivation;
  • ospf - fixed interface passive flag update in WinBox;
  • route - fixed static route flag handling by WinBox on disable;
  • route - removed deprecated "/routing/route/rule" menu;
  • switch - fixed issue with MAC table for RB2011 (introduced in v7.21);
  • switch - fixed rare possibility of tx-timeout or simultaneous flap of all switch ports on devices with Alpine CPUs;
  • switch - increase "ingress-rate" and "egress-rate" maximum value to 400G;
  • timezone - updated timezone information from "tzdata2026b" release;
  • upgrade - prevent package scheduling from interfering with the upgrade feature;
  • vxlan - fixed fast-path when using "checksum=no" (introduced in v7.20);
  • winbox - do not pre-fill "Allowed Address" and "Client Allowed Address" with "::/0" when adding new WireGuard Peer;

To upgrade, click Check For Updates under System/Packages menu and select the long term Channel in RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

  • Everything went smoothly
  • I encountered an issue after the update (please post about the device, configuration, and unexpected symptoms)
  • I encountered an issue, but solved it (please post the solution)
0 voters

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

2 hAP AC2 dead when going from 7.21.4 to 7.21.5....

Oops. I will wait then before updating two remote ac2.

I'm physically onsite and no one is working today, so I tried upgrading 20 cAP ac units with wifi-qcom-ac drivers one by one for testing and everything is fine. 3x hAP ac2 at home too.

Ok, 2 hAP ac2 updated without issues

erm, no 7.20.9?

And by dead you mean what exactly?

Why would you expect that version?

Can't go 7.22+ yet, plus: 7.21.4 [long-term] is released! - #96 by starlingus

Why can't you go to latest stable?

Boot loop, Fixed with netinstall.

SXT, HAP AC2, HAP AC3, WAP60G, CUBE60G, HAP AX2, HAP AX3 all good from 7.21.4

One reason would be that "latest stable" announces IPv6 addresses and advertises itself as a router, even when that has been set to "no" for that address. This bug was added in 7.23.

!) fixed a service security issue, home user with default config not affected, but we recommend the upgrade for all users regardless;
This description is somewhat vague. Is there a CVE for this service security issue?

This line in the changelog has been replaced with

!) ppp - fixed CVE-2026-59108;

which is even less informative that this moment as no further information is currently available for this CVE.

Edit: as it appears exactly the opposite happened.

No, that was the original line. It has been replaced with the "fixed a service security issue" (which already is a first, normally that would be some "improved (service) stability").

Thank you for the correction! MikroTik should have kept the CVE number as part of the change description.

Well, in this case the CVE content is secret so it does not (yet) add useful information. It would have been good to know what function is broken and what could be the effect of exploiting it.

(DOS, Unauthorized PPP session, privilege elevation inside RouterOS itself, ...)