CVE-2025-4043 is a vulnerability identified in the Milesight UG65-868M-EA device, a product likely used in industrial or IoT contexts given the vendor's typical portfolio. The vulnerability is classified under CWE-1274, which involves improper access control leading to unauthorized write access. Specifically, an authenticated admin user can gain unauthorized write access to the /etc/rc.local file on the device. The /etc/rc.local file is a critical system script executed during system boot, allowing commands within it to run with root privileges. By modifying this file, an attacker with admin credentials can insert arbitrary commands or scripts that will execute on every reboot, potentially establishing persistent control or altering device behavior in a malicious way. The CVSS v3.1 base score is 6.8 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), no user interaction (UI:N), scope changed (S:C), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). This means the vulnerability requires an attacker to already have admin-level privileges on the device, but once exploited, it can lead to significant integrity violations by allowing persistent unauthorized code execution. There are no known public exploits or patches available at the time of publication (May 7, 2025). The vulnerability was reserved on April 28, 2025, and published shortly after, indicating recent discovery and disclosure. The lack of patches suggests that organizations using this device must take interim mitigations until a vendor fix is released. Given the nature of the device and vulnerability, this could be leveraged in targeted attacks to maintain persistence or escalate control within industrial or IoT networks.

For European organizations, especially those in critical infrastructure sectors such as energy, manufacturing, or smart city deployments that utilize Milesight UG65-868M-EA devices, this vulnerability poses a significant risk to system integrity. Unauthorized modification of the /etc/rc.local file can allow attackers to implant persistent malicious code that executes on every reboot, potentially leading to long-term compromise of device functionality. This could disrupt operational processes, enable lateral movement within networks, or facilitate espionage. Although exploitation requires admin privileges, in environments where admin credentials are shared or insufficiently protected, the risk is amplified. The integrity impact can lead to unauthorized configuration changes, data manipulation, or sabotage of device operations. Since the vulnerability does not affect confidentiality or availability directly, the primary concern is the trustworthiness and correct operation of the device, which is critical in industrial control systems. The absence of known exploits reduces immediate risk but does not eliminate it, as threat actors could develop exploits rapidly. European organizations with deployments of this device should consider the potential for targeted attacks aiming to establish persistence or manipulate device behavior.

1. Restrict and monitor admin access: Enforce strict access controls and multi-factor authentication for admin accounts on Milesight UG65-868M-EA devices to reduce the risk of credential compromise. 2. Network segmentation: Isolate these devices within secure network zones with limited access to reduce exposure to attackers who may gain network footholds. 3. Integrity monitoring: Implement file integrity monitoring on critical system files such as /etc/rc.local to detect unauthorized changes promptly. 4. Configuration management: Regularly audit device configurations and logs for suspicious modifications or reboot behaviors. 5. Vendor engagement: Maintain close communication with Milesight for timely patch releases and apply updates as soon as they become available. 6. Incident response readiness: Prepare to respond to potential compromises by having procedures to restore device firmware or configurations to known good states. 7. Limit reboot frequency: Minimize unnecessary device reboots to reduce the opportunity for malicious code in rc.local to execute. 8. Use of compensating controls: Where possible, deploy application whitelisting or runtime protection mechanisms to prevent execution of unauthorized scripts or binaries initiated from rc.local.