New(or resetted) mAP Lite device is expecting winbox connections only on wlan interface (ether1 has DROP filters in default configuration ).
When device is first time started, attacker could connect as admin (with no password) over wlan just before trusted person has chance to set up anything.
how often will that happen, and what is the resolution for this?
If you see that after the reset, you cannot connect (you went away for some coffee, and when came back the router was not responding)… So what do you do?
Exactly: Reset it again.
And then do NOT go for coffee, but immediately connect and run a config restore.
Rarely. But it doesn’t matter - it’s a vulnerability. Solution is to disable mgmt access over wireless, enable over wires.
The wired side is presumed to be the internet side and thus no connections allowed.
The setup procedure is the same on all MikroTik products - it is assumed that the operator puts a password
on the device soon after powerup and monitors for possible intruders.
I’m glad my mikrotik comes with Wlan disabled by default.
OP is right, default wireless enabled with management access is dangerous, no matter how small the window is, the racing condition is a vulnerability.
I always hate consumer routers and some 3rd party firmware have no or simple password with wireless enabled by default.
However I remember Mikrotik have a option to run custom script immediately after reinstall/reset, you can use this to fix the issue.
No. Ether1 is the internet port on this, and many other devices. Do not power the device on, if you will not configure it.