CVE-2023-25106 is a stack-based buffer overflow vulnerability identified in the vtysh_ubus binary of the Milesight UR32L device firmware version 32.3.0.5. The vulnerability stems from the unsafe use of the sprintf function within the set_gre function, which processes the local_virtual_ip and local_virtual_mask parameters. Because sprintf does not perform bounds checking, specially crafted HTTP requests containing oversized input for these parameters can overflow the stack buffer, corrupting memory and enabling arbitrary code execution. Exploitation requires the attacker to have high privileges on the device, such as administrative access, but does not require user interaction. The vulnerability affects the confidentiality, integrity, and availability of the device, as arbitrary code execution could allow attackers to manipulate network traffic, disrupt device operation, or pivot into internal networks. The CVSS v3.1 base score is 7.2, reflecting a high severity with network attack vector, low attack complexity, and no user interaction. No public exploits are known yet, but the vulnerability is critical for environments where the UR32L is deployed as a network router or gateway. The lack of available patches at the time of disclosure necessitates immediate mitigation steps to reduce exposure.

For European organizations, this vulnerability poses a significant risk, especially for those deploying Milesight UR32L devices in network infrastructure roles such as industrial control systems, telecommunications, or enterprise edge routing. Successful exploitation could lead to full device compromise, enabling attackers to intercept or manipulate sensitive data, disrupt network services, or establish persistent footholds within critical networks. This could impact confidentiality through data leakage, integrity by altering network configurations or traffic, and availability by causing device crashes or denial of service. Given the device’s role in network connectivity, exploitation could cascade to broader network segments, amplifying the impact. The requirement for high privileges limits exposure to some extent, but insider threats or compromised administrative credentials could facilitate attacks. The absence of known exploits in the wild provides a window for proactive defense, but organizations must act swiftly to prevent potential exploitation.

1. Immediately restrict access to the management interfaces of the Milesight UR32L devices, ensuring only trusted administrators can connect, preferably via VPN or secure management networks. 2. Monitor network traffic for unusual HTTP requests targeting the device’s management interface, focusing on anomalous payload sizes or malformed GRE configuration requests. 3. Implement strict access control lists (ACLs) to limit which IP addresses can communicate with the device’s HTTP management service. 4. Regularly audit and rotate administrative credentials to reduce the risk of privilege abuse. 5. Engage with Milesight support or vendor channels to obtain firmware updates or patches addressing this vulnerability as soon as they become available. 6. If patching is delayed, consider temporary compensating controls such as disabling the vulnerable service or isolating the device from untrusted networks. 7. Conduct internal penetration testing to verify the effectiveness of mitigations and detect any signs of compromise. 8. Maintain up-to-date asset inventories to identify all affected devices across the organization.