CVE-2023-25123 is a stack-based buffer overflow vulnerability identified in the vtysh_ubus binary of the Milesight UR32L router, specifically version 32.3.0.5. The root cause is the unsafe use of the sprintf function within the set_openvpn_client function, which handles configuration parameters remote_subnet and remote_mask when the action parameter equals 2. This unsafe pattern allows an attacker with high privileges to craft a malicious HTTP request that overflows the stack buffer, overwriting adjacent memory and enabling arbitrary code execution. The vulnerability affects the confidentiality, integrity, and availability of the device, as an attacker could execute arbitrary code, potentially gaining control over the device or disrupting its operation. Exploitation requires high privileges, meaning the attacker must already have significant access to the device or network. No user interaction is necessary once the attacker has the required privileges. The CVSS v3.1 base score is 7.2, reflecting the network attack vector, low attack complexity, required privileges, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the vulnerability poses a significant risk to organizations relying on this device for network connectivity and VPN services. The lack of available patches at the time of disclosure increases the urgency for mitigations or vendor updates.

For European organizations, exploitation of this vulnerability could lead to full compromise of affected Milesight UR32L devices, which are often used in industrial, enterprise, and critical infrastructure networks. Successful exploitation could allow attackers to execute arbitrary code, potentially leading to unauthorized access to internal networks, interception or manipulation of sensitive data, disruption of VPN services, and denial of network availability. This could have severe consequences for sectors such as manufacturing, energy, transportation, and government agencies that rely on these devices for secure communications. The requirement for high privileges limits the attack surface but does not eliminate risk, especially in environments where internal threat actors or lateral movement by attackers is possible. The absence of known exploits in the wild suggests limited current exploitation but also indicates a window of opportunity for attackers to develop exploits before patches are widely deployed.

European organizations should immediately inventory their network to identify any Milesight UR32L devices running version 32.3.0.5. Until a vendor patch is available, organizations should restrict access to the management interfaces of these devices to trusted administrators only, ideally through isolated management networks or VPNs with multi-factor authentication. Network segmentation should be enforced to limit the ability of attackers to reach vulnerable devices. Monitoring and logging of HTTP requests to the device should be enhanced to detect anomalous or suspicious activity targeting the vtysh_ubus binary. If possible, disable or restrict OpenVPN client configuration changes via HTTP requests to reduce exposure. Organizations should engage with Milesight for updates or patches and apply them promptly once released. Additionally, conduct regular vulnerability assessments and penetration tests focusing on network devices to detect exploitation attempts. Incident response plans should be updated to include scenarios involving network device compromise.