Login Sign Up

CVE-2023-23902

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in the uhttpd login functionality of Milesight UR32L routers allows remote attackers to execute arbitrary code by sending specially crafted network requests. This affects Milesight UR32L routers running vulnerable firmware versions. Successful exploitation gives attackers full control over the affected device.

💻 Affected Systems

Products:
  • Milesight UR32L
Versions: v32.3.0.5 and likely earlier versions
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the uhttpd web server component used for device management interface.

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, lateral movement to internal networks, data exfiltration, and use as a botnet node.

🟠

Likely Case

Remote code execution allowing attackers to modify device configuration, intercept network traffic, or use the device as an initial access point for further attacks.

🟢

If Mitigated

Attack prevented by network segmentation and access controls, limiting impact to isolated network segments.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details published in Talos Intelligence reports; buffer overflow in login functionality requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with Milesight for updated firmware

Vendor Advisory: https://www.milesight.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Check Milesight support portal for security advisory. 2. Download latest firmware version. 3. Backup current configuration. 4. Upload and install new firmware via web interface. 5. Reboot device. 6. Verify firmware version.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate UR32L devices from internet and restrict access to management interface

Access Control Lists

linux

Implement firewall rules to restrict access to uhttpd service (typically port 80/443)

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

  • Disable remote management interface if not required
  • Implement strict network segmentation and monitor for exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at System > Maintenance > Firmware or via SSH with 'cat /etc/version'

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is updated beyond v32.3.0.5 and test login functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual login attempts
  • Buffer overflow patterns in web logs
  • Unexpected process execution

Network Indicators:

  • Malformed HTTP requests to login endpoint
  • Exploit traffic patterns matching Talos report

SIEM Query:

source="ur32l_logs" AND (http_uri="/login" AND http_method="POST" AND http_content_length>normal)

📊 Metadata

CVE ID: CVE-2023-23902
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
Published: July 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23902, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)