I identified a security vulnerability in the RouterOS default IPv6 firewall rule some time ago:
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
An attacker is in control of the source port, thereby can craft IPv6 packets in this range to always be accepted by the default firewall rules, exposing all UDP services including CAPsMAN, DNS, container and otherwise where enabled.
I logged this into CVE-2023-47310 for publication some time after MikroTik released the fix. Working with MikroTik, the default firewall rules were updated in RouterOS 7.14 to fix this.
Please check your scripts and correct to: dst-port=33434-33534.
Thanks,
Dan