CVE-2023-25093 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the vtysh_ubus binary of the Milesight UR32L device firmware version 32.3.0.5. The vulnerability stems from the unsafe use of the sprintf function in the set_qos function, where the class_name variable is not properly bounded, allowing an attacker to overflow the stack buffer. This overflow can be triggered by sending a specially crafted HTTP request to the device. The vulnerability requires the attacker to have high privileges on the device, but does not require user interaction. Successful exploitation can lead to arbitrary code execution, compromising the device’s confidentiality, integrity, and availability. The CVSS v3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are currently reported, but the vulnerability poses a significant risk due to the potential for remote code execution on network infrastructure devices. The lack of available patches at the time of reporting increases the urgency for mitigation.

For European organizations, this vulnerability poses a critical risk to network infrastructure security, especially for those relying on Milesight UR32L devices for routing or network management. Exploitation could allow attackers to execute arbitrary code remotely, potentially leading to full device compromise, interception or manipulation of network traffic, disruption of services, and lateral movement within internal networks. This can severely impact critical sectors such as telecommunications, manufacturing, energy, and public services that depend on reliable network devices. The high privileges required limit exploitation to insiders or attackers who have already gained elevated access, but once exploited, the impact on confidentiality, integrity, and availability is severe. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

European organizations should immediately inventory their network devices to identify any Milesight UR32L units running firmware version 32.3.0.5. Until an official patch is released, organizations should restrict access to the device management interfaces to trusted administrators only, ideally via isolated management networks or VPNs. Implement strict network segmentation and firewall rules to limit HTTP access to these devices. Monitor network traffic for unusual HTTP requests targeting the vtysh_ubus service. Employ host-based intrusion detection systems to detect anomalous behavior indicative of exploitation attempts. Additionally, enforce the principle of least privilege to minimize the number of users with high-level access to these devices. Regularly check for firmware updates from Milesight and apply patches promptly once available. Consider deploying network-level protections such as web application firewalls (WAFs) that can detect and block malformed HTTP requests targeting this vulnerability.