CVE-2025-4043: CWE-1274 in Milesight UG65-868M-EA
An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system boot.
AI Analysis
Technical Summary
CVE-2025-4043 is a vulnerability identified in the Milesight UG65-868M-EA device, a product likely used in industrial or IoT contexts given the vendor's typical portfolio. The vulnerability is classified under CWE-1274, which involves improper access control leading to unauthorized write access. Specifically, an authenticated admin user can gain unauthorized write access to the /etc/rc.local file on the device. The /etc/rc.local file is a critical system script executed during system boot, allowing commands within it to run with root privileges. By modifying this file, an attacker with admin credentials can insert arbitrary commands or scripts that will execute on every reboot, potentially establishing persistent control or altering device behavior in a malicious way. The CVSS v3.1 base score is 6.8 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), scope changed (S:C), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). This means the vulnerability requires an attacker to already have admin-level privileges on the device, but once exploited, it can lead to significant integrity violations by allowing persistent unauthorized code execution. There are no known public exploits or patches available at the time of publication (May 7, 2025). The vulnerability was reserved on April 28, 2025, and published shortly after, indicating recent discovery and disclosure. The lack of patches suggests that organizations using this device must take interim mitigations until a vendor fix is released. Given the nature of the device and vulnerability, this could be leveraged in targeted attacks to maintain persistence or escalate control within industrial or IoT networks.
Potential Impact
For European organizations, especially those in critical infrastructure sectors such as energy, manufacturing, or smart city deployments that utilize Milesight UG65-868M-EA devices, this vulnerability poses a significant risk to system integrity. Unauthorized modification of the /etc/rc.local file can allow attackers to implant persistent malicious code that executes on every reboot, potentially leading to long-term compromise of device functionality. This could disrupt operational processes, enable lateral movement within networks, or facilitate espionage. Although exploitation requires admin privileges, in environments where admin credentials are shared or insufficiently protected, the risk is amplified. The integrity impact can lead to unauthorized configuration changes, data manipulation, or sabotage of device operations. Since the vulnerability does not affect confidentiality or availability directly, the primary concern is the trustworthiness and correct operation of the device, which is critical in industrial control systems. The absence of known exploits reduces immediate risk but does not eliminate it, as threat actors could develop exploits rapidly. European organizations with deployments of this device should consider the potential for targeted attacks aiming to establish persistence or manipulate device behavior.
Mitigation Recommendations
1. Restrict and monitor admin access: Enforce strict access controls and multi-factor authentication for admin accounts on Milesight UG65-868M-EA devices to reduce the risk of credential compromise. 2. Network segmentation: Isolate these devices within secure network zones with limited access to reduce exposure to attackers who may gain network footholds. 3. Integrity monitoring: Implement file integrity monitoring on critical system files such as /etc/rc.local to detect unauthorized changes promptly. 4. Configuration management: Regularly audit device configurations and logs for suspicious modifications or reboot behaviors. 5. Vendor engagement: Maintain close communication with Milesight for timely patch releases and apply updates as soon as they become available. 6. Incident response readiness: Prepare to respond to potential compromises by having procedures to restore device firmware or configurations to known good states. 7. Limit reboot frequency: Minimize unnecessary device reboots to reduce the opportunity for malicious code in rc.local to execute. 8. Use of compensating controls: Where possible, deploy application whitelisting or runtime protection mechanisms to prevent execution of unauthorized scripts or binaries initiated from rc.local.
Affected Countries
Germany, France, Italy, United Kingdom, Netherlands, Spain, Poland, Belgium
CVE-2025-4043: CWE-1274 in Milesight UG65-868M-EA
Description
An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system boot.
AI-Powered Analysis
Technical Analysis
CVE-2025-4043 is a vulnerability identified in the Milesight UG65-868M-EA device, a product likely used in industrial or IoT contexts given the vendor's typical portfolio. The vulnerability is classified under CWE-1274, which involves improper access control leading to unauthorized write access. Specifically, an authenticated admin user can gain unauthorized write access to the /etc/rc.local file on the device. The /etc/rc.local file is a critical system script executed during system boot, allowing commands within it to run with root privileges. By modifying this file, an attacker with admin credentials can insert arbitrary commands or scripts that will execute on every reboot, potentially establishing persistent control or altering device behavior in a malicious way. The CVSS v3.1 base score is 6.8 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), scope changed (S:C), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). This means the vulnerability requires an attacker to already have admin-level privileges on the device, but once exploited, it can lead to significant integrity violations by allowing persistent unauthorized code execution. There are no known public exploits or patches available at the time of publication (May 7, 2025). The vulnerability was reserved on April 28, 2025, and published shortly after, indicating recent discovery and disclosure. The lack of patches suggests that organizations using this device must take interim mitigations until a vendor fix is released. Given the nature of the device and vulnerability, this could be leveraged in targeted attacks to maintain persistence or escalate control within industrial or IoT networks.
Potential Impact
For European organizations, especially those in critical infrastructure sectors such as energy, manufacturing, or smart city deployments that utilize Milesight UG65-868M-EA devices, this vulnerability poses a significant risk to system integrity. Unauthorized modification of the /etc/rc.local file can allow attackers to implant persistent malicious code that executes on every reboot, potentially leading to long-term compromise of device functionality. This could disrupt operational processes, enable lateral movement within networks, or facilitate espionage. Although exploitation requires admin privileges, in environments where admin credentials are shared or insufficiently protected, the risk is amplified. The integrity impact can lead to unauthorized configuration changes, data manipulation, or sabotage of device operations. Since the vulnerability does not affect confidentiality or availability directly, the primary concern is the trustworthiness and correct operation of the device, which is critical in industrial control systems. The absence of known exploits reduces immediate risk but does not eliminate it, as threat actors could develop exploits rapidly. European organizations with deployments of this device should consider the potential for targeted attacks aiming to establish persistence or manipulate device behavior.
Mitigation Recommendations
1. Restrict and monitor admin access: Enforce strict access controls and multi-factor authentication for admin accounts on Milesight UG65-868M-EA devices to reduce the risk of credential compromise. 2. Network segmentation: Isolate these devices within secure network zones with limited access to reduce exposure to attackers who may gain network footholds. 3. Integrity monitoring: Implement file integrity monitoring on critical system files such as /etc/rc.local to detect unauthorized changes promptly. 4. Configuration management: Regularly audit device configurations and logs for suspicious modifications or reboot behaviors. 5. Vendor engagement: Maintain close communication with Milesight for timely patch releases and apply updates as soon as they become available. 6. Incident response readiness: Prepare to respond to potential compromises by having procedures to restore device firmware or configurations to known good states. 7. Limit reboot frequency: Minimize unnecessary device reboots to reduce the opportunity for malicious code in rc.local to execute. 8. Use of compensating controls: Where possible, deploy application whitelisting or runtime protection mechanisms to prevent execution of unauthorized scripts or binaries initiated from rc.local.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- icscert
- Date Reserved
- 2025-04-28T16:04:15.727Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9819c4522896dcbd855a
Added to database: 5/21/2025, 9:08:41 AM
Last enriched: 7/5/2025, 6:41:59 AM
Last updated: 8/16/2025, 2:20:55 PM
Views: 22
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.