According to the released documents, the CIA supposedly has tools that can inject malicious tools into RouterOS devices, if the public interface of the RouterOS device has no firewall on port 80. The exploit is called "ChimayRed".
Quote from Wikileaks document https://wikileaks.org/ciav7p1/cms/page_20250630.html:
Also, it seems that this exploit may not be functional in RouterOS version above v6.30.1 (released 2015-07-15)."ROS 6.28 has a Firewall Filter Rule to drop access to WAN side ethernet port. This was disabled in order to throw ChimayRed"
Quote from Wikileaks document https://wikileaks.org/ciav7p1/cms/page_20251203.html:
Since none of the tools and malware referenced in the initial Vault 7 disclosure have been made available by Wikileaks, it is currently unclear if the malware tries to exploit any vulnerability in current RouterOS releases (6.38.4 'current' and 6.37.5 'bugfix' or newer). We will continue to strengthen RouterOS services and have already released RouterOS version 6.38.4 which removes any malicious files in devices that have been compromised. MikroTik will follow Wikileaks for any new information on this exploit."Downgraded to ROS 6.30.1. ChimayRed does not support 6.30.2"
Most RouterBOARD products come with default firewall rules that already protect against malicious access from the public interface. If you have disabled these rules, or have cleared the default config, please apply firewall rules on the public interfaces of your devices to block access to port 80, upgrade RouterOS to the latest version and follow general router protection guides in our documentation, like limiting access only to your own IP address and disabling unused services.
UPDATE 1: Hotspot is not affected by the vulnerabilities outlined above.
UPDATE 2: v6.38.5 and 6.39rc49 has been released, this version fixes the vulnerabilities outlined in the above documents, and cleans any files installed by the tools described.
UPDATE 3: As of November 2017, Wikileaks have NOT followed up their claims and have not provided any proof that their previous statements are true. We also have NOT seen a single affected device.