CVE-2023-25110 is a stack-based buffer overflow vulnerability classified under CWE-121, affecting the vtysh_ubus binary of the Milesight UR32L device firmware version 32.3.0.5. The root cause is the unsafe use of the sprintf function in the set_gre function, where the remote_virtual_ip variable is not properly bounds-checked before being copied into a fixed-size buffer. This allows an attacker with high privileges to craft a malicious HTTP request that overflows the buffer on the stack, overwriting adjacent memory and enabling arbitrary code execution. The vulnerability requires the attacker to have high privileges on the device, which implies prior access or compromise. Exploitation does not require user interaction, and the attack vector is network-based via HTTP requests. The impact includes full compromise of the device, allowing an attacker to execute arbitrary code, potentially leading to data theft, device manipulation, or denial of service. The CVSS v3.1 score is 7.2 (high), reflecting network attack vector, low attack complexity, required privileges, and high impact on confidentiality, integrity, and availability. No patches or public exploits have been reported yet, but the vulnerability is publicly disclosed and should be considered a significant risk for affected devices.

For European organizations, the exploitation of this vulnerability could lead to severe consequences including unauthorized control over Milesight UR32L devices, which are often used in networking and industrial environments. This could result in data breaches, disruption of network services, manipulation of network traffic, and potential pivoting to other internal systems. Critical infrastructure sectors such as energy, manufacturing, and telecommunications that rely on these devices could face operational disruptions and safety risks. The high privilege requirement limits the attack surface somewhat, but insider threats or compromised credentials could enable exploitation. The lack of known public exploits currently reduces immediate risk but does not eliminate it, as attackers may develop exploits. The vulnerability’s network-based nature means that exposed devices accessible from internal or external networks are at risk, emphasizing the need for strict network segmentation and access controls.

1. Immediately verify if Milesight UR32L devices running firmware version 32.3.0.5 are deployed within the environment. 2. Contact Milesight support or monitor official channels for firmware updates or patches addressing CVE-2023-25110 and apply them promptly once available. 3. Restrict network access to the management interfaces of affected devices, limiting HTTP access to trusted and authenticated users only. 4. Implement strict network segmentation to isolate critical devices from general user networks and the internet. 5. Employ intrusion detection/prevention systems (IDS/IPS) to monitor for anomalous HTTP requests targeting the vtysh_ubus service or unusual traffic patterns. 6. Enforce strong authentication and credential management to reduce the risk of privilege escalation that could enable exploitation. 7. Regularly audit device configurations and logs for signs of suspicious activity or exploitation attempts. 8. Consider temporary compensating controls such as disabling vulnerable services if feasible until patches are applied.