CVE-2023-25086 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the vtysh_ubus binary of the Milesight UR32L router firmware version 32.3.0.5. The root cause is the unsafe use of the sprintf function within the firewall_handler_set function, where the index and dport variables are improperly handled, leading to buffer overflow conditions. This vulnerability can be triggered remotely via specially crafted HTTP requests sent to the device. Exploitation requires the attacker to have high privileges on the device, but no user interaction is necessary. Successful exploitation allows arbitrary code execution, which can compromise the device’s confidentiality, integrity, and availability. The CVSS v3.1 score is 7.2 (high severity), reflecting network attack vector, low attack complexity, required privileges, and full impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability poses a serious risk to affected devices, especially those deployed in critical network environments. The lack of available patches at the time of publication necessitates immediate attention to alternative mitigations. The vulnerability’s presence in a network device used for routing and firewall functions increases the potential impact on organizational network security posture.

For European organizations, exploitation of this vulnerability could lead to full compromise of affected Milesight UR32L devices, which are often used in enterprise and industrial network environments. This could result in unauthorized access to internal networks, interception or manipulation of sensitive data, disruption of network services, and potential pivoting to other internal systems. The impact is particularly severe for critical infrastructure sectors such as energy, manufacturing, telecommunications, and transportation that rely on these devices for secure network operations. Compromise could lead to operational downtime, data breaches, and loss of trust. Given the network-facing nature of the vulnerability and the possibility of remote code execution, attackers could leverage this flaw to establish persistent footholds or launch further attacks within European organizational networks.

Organizations should immediately inventory their network infrastructure to identify any Milesight UR32L devices running version 32.3.0.5. Until a vendor patch is released, network segmentation should be enforced to isolate these devices from untrusted networks and limit administrative access. Implement strict access controls and monitor HTTP traffic to these devices for anomalous or suspicious requests targeting the firewall_handler_set function. Employ intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics capable of detecting buffer overflow attempts or malformed HTTP requests. Disable or restrict remote management interfaces if not required. Regularly review device logs for signs of exploitation attempts. Engage with the vendor for updates on patches or firmware upgrades addressing this vulnerability. Additionally, consider deploying network-level mitigations such as web application firewalls (WAF) to filter malicious HTTP requests targeting the device.