CVE-2023-25105 is a stack-based buffer overflow vulnerability identified in the Milesight UR32L device firmware version v32.3.0.5. The flaw exists in the vtysh_ubus binary, specifically within the set_ike_profile function where the secrets_remote variable is processed using an unsafe sprintf pattern. This unsafe coding practice leads to the possibility of overflowing the stack buffer when handling specially crafted HTTP requests. Exploitation requires the attacker to have high privileges, enabling them to send malicious HTTP requests directly to the device. Successful exploitation can result in arbitrary code execution, compromising the device’s confidentiality, integrity, and availability. The vulnerability is classified under CWE-121 (stack-based buffer overflow) and has a CVSS v3.1 base score of 7.2, indicating high severity. The attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:H), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits have been reported yet, but the potential for remote code execution makes this a critical concern for organizations deploying these devices. The lack of available patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

For European organizations, exploitation of this vulnerability could lead to full compromise of Milesight UR32L devices, which are often used in networking and security infrastructure. This could result in unauthorized access to sensitive network segments, interception or manipulation of data, disruption of network services, and potential pivoting to other internal systems. Critical infrastructure sectors such as energy, transportation, and telecommunications that rely on these devices may face operational disruptions and data breaches. The high privileges required for exploitation somewhat limit the attack surface but do not eliminate risk, especially in environments where administrative access is not tightly controlled. The vulnerability’s impact on confidentiality, integrity, and availability could have severe consequences for compliance with European data protection regulations such as GDPR, and could undermine trust in network security.

1. Immediately restrict HTTP access to the management interface of Milesight UR32L devices to trusted administrators only, preferably via VPN or secure management networks. 2. Implement strict network segmentation and firewall rules to limit exposure of these devices to untrusted networks. 3. Monitor network traffic for anomalous HTTP requests targeting the vtysh_ubus service or unusual patterns indicative of exploitation attempts. 4. Enforce strong authentication and privilege management to minimize the number of users with high privileges capable of triggering the vulnerability. 5. Regularly audit device configurations and logs for signs of compromise or attempted exploitation. 6. Engage with the vendor for firmware updates or patches addressing this vulnerability and plan prompt deployment once available. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) with signatures for buffer overflow attempts against Milesight devices. 8. Educate network administrators about the risks and signs of exploitation related to this vulnerability.