CVE-2023-25087 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the vtysh_ubus binary of the Milesight UR32L router firmware version 32.3.0.5. The root cause is the unsafe use of the sprintf function in the firewall_handler_set function, which processes the index and to_dport variables derived from HTTP requests. Because sprintf does not perform bounds checking, specially crafted HTTP requests with malicious payloads can overflow the buffer, corrupting the stack. This corruption can lead to arbitrary code execution, allowing an attacker with high privileges to potentially execute malicious code on the device. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), but does require high privileges (PR:H) and no user interaction (UI:N). The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) of the affected device. Although no public exploits are known, the vulnerability's nature and CVSS score of 7.2 indicate a significant risk. The affected product, Milesight UR32L, is a network device commonly used in industrial and enterprise environments, making exploitation potentially impactful. The lack of available patches at the time of disclosure increases the urgency for mitigation.

For European organizations, exploitation of this vulnerability could lead to full compromise of affected Milesight UR32L devices, which may serve as critical network infrastructure components such as routers or firewalls. This could result in unauthorized access to internal networks, interception or manipulation of sensitive data, disruption of network services, and potential pivoting to other internal systems. Industrial sectors and enterprises relying on these devices for secure communications and firewalling are particularly at risk. The confidentiality, integrity, and availability of network traffic and connected systems could be severely affected. Given the high privileges required to exploit the vulnerability, insider threats or attackers who have already gained elevated access could leverage this flaw to escalate control. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as threat actors may develop exploits over time.

European organizations should immediately inventory their network infrastructure to identify any Milesight UR32L devices running version 32.3.0.5. Until a vendor patch is released, organizations should implement strict network segmentation and access controls to limit administrative access to these devices, ensuring only trusted personnel can send HTTP requests to the affected binary. Employ network-based intrusion detection/prevention systems (IDS/IPS) with custom signatures to detect anomalous or malformed HTTP requests targeting the firewall_handler_set function. Disable or restrict remote management interfaces if not required, or enforce VPN and multi-factor authentication for administrative access. Monitor device logs for unusual activity indicative of exploitation attempts. Engage with the vendor for patch availability and apply updates promptly once released. Additionally, consider deploying endpoint detection and response (EDR) solutions on critical systems to detect lateral movement stemming from compromised network devices.