CVE-2023-25091 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the vtysh_ubus binary of the Milesight UR32L device firmware version 32.3.0.5. The vulnerability stems from the unsafe use of the sprintf function in the handle_interface_acl function, specifically when the out_acl parameter is set to -1, which causes improper handling of the interface variable. This flaw allows an attacker with high privileges to send specially crafted HTTP requests to the device, triggering the buffer overflow and enabling arbitrary code execution. The vulnerability affects the device's confidentiality, integrity, and availability, as an attacker could execute malicious code remotely without user interaction. The attack vector is network-based (AV:N), with low attack complexity (AC:L), but requires high privileges (PR:H). The scope is unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No patches or mitigations are currently linked, and no known exploits have been observed in the wild. This vulnerability is critical for environments relying on Milesight UR32L devices, often used in industrial, IoT, and network infrastructure contexts, where exploitation could lead to full device compromise and lateral movement within networks.

For European organizations, exploitation of CVE-2023-25091 could lead to severe consequences including unauthorized control over Milesight UR32L devices, which are commonly deployed in industrial control systems, IoT networks, and enterprise environments. Successful exploitation could result in data breaches, disruption of network services, and potential pivoting to other critical infrastructure components. Given the device’s role in network management and security, attackers could manipulate network traffic, disable security controls, or cause denial of service. The requirement for high privileges limits the attack surface somewhat, but insider threats or compromised credentials could enable exploitation. The impact is particularly significant for sectors such as manufacturing, energy, transportation, and critical infrastructure operators across Europe, where these devices may be integral to operational technology (OT) environments. The absence of known exploits currently provides a window for proactive defense, but the high severity score underscores the urgency of mitigation.

European organizations should immediately inventory their network for Milesight UR32L devices running firmware version 32.3.0.5 and restrict access to the device management interfaces to trusted administrators only. Network segmentation should be enforced to isolate these devices from general user networks and limit exposure to potential attackers. Implement strict access controls and multi-factor authentication for all privileged accounts to reduce the risk of credential compromise. Monitor network traffic for unusual HTTP requests targeting the vtysh_ubus binary or anomalous behavior indicative of exploitation attempts. Since no official patch is currently linked, consider deploying virtual patching via intrusion prevention systems (IPS) to detect and block exploit attempts targeting the vulnerable function. Engage with the vendor for firmware updates or security advisories and plan for timely patch deployment once available. Additionally, conduct regular security audits and penetration tests focusing on OT and IoT devices to identify and remediate similar vulnerabilities proactively.