7.23.2 [stable] is released!

Before an upgrade:

  1. Remember to make backup/export files before an upgrade and save them on another storage device;
  2. Make sure the device will not lose power during upgrade process;
  3. Device has enough free storage space for all RouterOS packages to be downloaded.

What's new in 7.23.2 (2026-Jul-03 12:08):

  • fixed a service security issue, home user with default config not affected, but we recommend the upgrade for all users regardless;
  • app - fixed "reset" not working with certain apps;
  • app - fixed home-assistant default config files;
  • app - only generate secrets for enabled apps;
  • app - resolved issue where duplicate swaps are created;
  • bfd - fixed delay on session print;
  • bgp - added option to add BGP VPLS created interfaces in interface-list;
  • bgp - fixed advertisement print handling by "dst" when destination is in VRF;
  • bgp - fixed IPv6 End-of-Route processing;
  • bgp - improved stability on MP (multiprotocol) parsing;
  • certificate - always use all trust stores for downloaded CRL validation;
  • container - fixed missing config.json issue when upgrading from version 7.20.8 or older;
  • interface - fixed duplicate MAC warning for wireless, wifi, macsec, w60g interfaces (introduced in v7.23);
  • ipsec - fixed policy move handling;
  • ipsec,ike2 - fixed active connection termination;
  • ipsec,ike2 - fixed SA payload validation;
  • ipsec,ike2 - improved pending child SA cleanup and removal of dangling SAs during Phase 2 deletion;
  • isis - fixed missing "l2.lsp-refresh-interval" parameter;
  • leds - fixed missing wireless LED configuration (introduced in v7.21);
  • lte - fixed cases where EC25-EU and EG25-G boards would receive packets with missing last 4 bytes;
  • ospf - added missing "type=ptmp-broadcast" parameter to "/routing/ospf/interface" menu;
  • ospf - allow comments on static interfaces;
  • ospf - fixed interface passive flag update in WinBox;
  • pim - added comment for "/routing/gmp" entries;
  • ppp - improved system stability;
  • route - fixed static route flag handling by WinBox on disable;
  • routerboard - renamed "ipq53xx" firmware type to "ipq5300";
  • switch - increase "ingress-rate" and "egress-rate" maximum value to 400G;
  • upgrade - prevent package scheduling from interfering with the upgrade feature;
  • winbox - added missing values to "AFI" setting under "Routing/BGP" menus;
  • winbox - do not pre-fill "Allowed Address" and "Client Allowed Address" with "::/0" when adding new WireGuard Peer;
  • winbox - fixed value unset under "MPLS/LDP Neighbor" menu;

To upgrade, click Check For Updates under System/Packages menu and select the stable Channel in RouterOS configuration interface, or head to our download page: http://www.mikrotik.com/download

  • Everything went smoothly
  • I encountered an issue after the update (please post about the device, configuration, and unexpected symptoms)
  • I encountered an issue, but solved it (please post the solution)
0 voters

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. The file must be generated while a router is not working as suspected or after some problem has appeared on the device

Please keep this forum topic strictly related to this particular RouterOS release.

Is it possible to do the same for ARM, especially for devices with 16MB ROM like the hAP ac2, cAP ac, cAP XL ac, Chateau LTE6, Chateau LTE7, wAP 60G, wAP 60G AP, LHG 60G, SXTsq 5 ac, LHG XL 5 ac, etc?

Upgraded from 7.23.1 and getting a critical error in the log:
error while running customized default configuration script: no such item (/interface/wifi/get; line 457)

And split wifi-qcom-ac...
And fix kernel failures on ac devices...

Is the problem of erroneous transmission of IPv6 RA of addresses with advertise=no fixed in this version, or will it be fixed in another 7.23.x version? With that, we cannot upgrade to 7.23.x and we are running 7.22.2 on most routers so downgrade to 7.21.5 is not attractive either.


5009 did not create an autosupout file and did not reboot again after half an hour.

Have some comments been deleted? I thought I saw something from cve and some replies from Normis.

Let's keep to the topic about release, some misinformation was cleared, to keep the topic clean. Sorry about that.

Fixing security issues are great. But... what were they? It would help users to evaluate how urgent is the upgrade for their network.

We made improvements to security of exposed / open services. If you have open ports to untrusted networks, this is a recommended upgrade. Home users with typical default configs should not worry, but we still recommend everyone to upgrade, as these are good improvements. We made a correction in the post, since the fix is a bit broader than initially reported, mistake by publisher. Sorry about that.

Support ticket SUP-196157 for this has been made almost a year ago and has been closed without implementing it.

There will be plenty of people who use PPP in some form and can't immediately update. Can you at least specify which service is affected, how bad is it and what can we do to avoid issues if we can't upgrade immediately?

Most of us might not be "home users with default configs", but are making our living by maintaining and managing these devices - which means that these are rarely at their "default configs".

It is not feasible to do this job simply relying on this kind of obscure descriptions. Deleting questions (by administrative/moderating power) does not resolve your biggest problem - which anybody can see reading every single "changelog". Problem that is only exaggerated by situations like this one here.

How serious is CVE-2026-59108? I received it in an email notification, but it has now been deleted from the changelog in favor of: 'fixed a service security issue, home user with default config not affected, but we recommend the upgrade for all users regardless'.
I assume it's very serious, since a new version, 6.49.20, has been released too.

Like written above, people with exposed services are strongly suggested to upgrade at the earliest possibility.

Does wireguard count as "exposed service"?

Upgraded my hAP ac³ from 7.23.1 to 7.23.2 without any issues.

I'm sorry, but we need to know which PPP service is affected. It's not easy to upgrade hundreds of devices with the wave of a magic wand.

Upgraded one RB5009 now. From 7.23.1 to 7.23.2.

Simple config, without VLANs or anything fancy.

But with 16 Wireguard tunnels, 14 IPv6 BGP sessions, using link local, and about 14k routes.
Everything looks fine. No issues, no problems rebooting.

Considering their behavior of obscurity and hiding things.
My guess is that it is VERY Serious!

  • Initial posts of topics of new releases edited removing the reference to CVE.
  • Some posts deleted(all those with reference to CVE) (God bless screenshots)
  • Even the release notes itself were altered.
  • Still no mention on https://mikrotik.com/supportsec (las one is CVE-2025-10948 - Sep 25, 2025)