CVE-2023-25112 is a stack-based buffer overflow vulnerability identified in the vtysh_ubus binary of the Milesight UR32L router firmware version 32.3.0.5. The root cause is the unsafe use of the sprintf function in the set_l2tp function, where the remote_subnet and remote_mask variables are handled without proper bounds checking. This allows an attacker with high privileges to craft malicious HTTP requests that overflow the buffer on the stack, overwriting adjacent memory and enabling arbitrary code execution. The vulnerability requires the attacker to have high privileges on the device, but no user interaction is needed beyond sending the HTTP request. The CVSS 3.1 base score is 7.2, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction. The vulnerability affects a critical network device used for routing and VPN services, which could be leveraged to disrupt network operations or gain persistent control over the device. Currently, no public exploits are known, and no patches have been linked, indicating the need for immediate vendor engagement and mitigation strategies.

For European organizations, the exploitation of this vulnerability could lead to severe consequences including unauthorized control over network routing devices, interception or manipulation of sensitive data, and disruption of network availability. Given the central role of Milesight UR32L devices in network infrastructure, successful exploitation could compromise enterprise networks, critical infrastructure, and industrial control systems. This is particularly concerning for sectors such as telecommunications, energy, manufacturing, and government agencies that rely on secure and stable network connectivity. The ability to execute arbitrary code could allow attackers to establish persistent footholds, move laterally within networks, or launch further attacks. The high privileges required limit the attack surface but do not eliminate risk, especially in environments where internal threat actors or compromised credentials exist.

Organizations should immediately inventory their network for the presence of Milesight UR32L devices running version 32.3.0.5. Since no official patches are currently linked, it is critical to engage with the vendor for updates or workarounds. In the interim, restrict administrative access to these devices to trusted personnel only and enforce strong authentication mechanisms. Network segmentation should be implemented to isolate vulnerable devices from less trusted network zones. Deploy web application firewalls or intrusion prevention systems capable of detecting and blocking malformed HTTP requests targeting the set_l2tp function. Regularly monitor device logs and network traffic for anomalous activity indicative of exploitation attempts. Additionally, consider disabling or limiting the HTTP management interface if not strictly necessary, or restrict it to specific IP addresses. Establish incident response plans specific to network device compromise scenarios.