CVE-2023-25115 is a stack-based buffer overflow vulnerability identified in the vtysh_ubus binary of the Milesight UR32L router, specifically in version 32.3.0.5. The root cause is the unsafe use of the sprintf function within the set_openvpn_client function, which processes the remote_ip and port parameters from HTTP requests. Because sprintf does not perform bounds checking, specially crafted inputs can overflow the stack buffer, corrupting memory and enabling arbitrary code execution. Exploitation requires the attacker to have high privileges, meaning they must already have authenticated access or elevated rights on the device. The vulnerability affects confidentiality, integrity, and availability, as arbitrary code execution can lead to data leakage, device manipulation, or denial of service. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). The CVSS v3.1 base score is 7.2, reflecting a high severity. Although no public exploits have been reported, the critical nature of the vulnerability and the device’s role in network infrastructure make it a significant risk. The lack of available patches at the time of reporting necessitates immediate mitigation steps to reduce exposure.

For European organizations, the impact of this vulnerability can be substantial, especially for those relying on Milesight UR32L devices for network routing, VPN connectivity, or other critical infrastructure roles. Successful exploitation could allow attackers to execute arbitrary code, potentially leading to full device compromise, interception or manipulation of network traffic, disruption of VPN services, and lateral movement within internal networks. This could result in data breaches, operational downtime, and loss of trust. Given the high privileges required for exploitation, insider threats or attackers who have already gained initial access pose the greatest risk. The vulnerability’s network exposure means that devices accessible from less trusted network segments or the internet are particularly vulnerable. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future. Organizations in sectors such as telecommunications, critical infrastructure, and enterprises with distributed networks are especially at risk.

1. Immediately restrict access to the management interfaces of Milesight UR32L devices, ensuring only trusted and authenticated users can reach the HTTP service. 2. Implement network segmentation to isolate these devices from untrusted networks and reduce attack surface exposure. 3. Monitor network traffic for unusual or malformed HTTP requests targeting the vtysh_ubus service, using IDS/IPS solutions with custom signatures if possible. 4. Enforce strict authentication and authorization policies to prevent unauthorized privilege escalation. 5. Regularly audit device configurations and logs for signs of exploitation attempts or anomalous behavior. 6. Engage with the vendor for patches or firmware updates addressing this vulnerability and apply them promptly once available. 7. Consider deploying compensating controls such as application-layer firewalls or reverse proxies to filter malicious requests. 8. Educate network administrators about the vulnerability and the importance of limiting high-privilege access.