CVE-2023-25100 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-25100?

CVE-2023-25100 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated attackers with high privileges to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests that trigger buffer overflows in the vtysh_ubus binary. The vulnerability affects UR32L routers running vulnerable firmware versions due to unsafe sprintf usage in the set_qos function.

📋 TL;DR

This vulnerability allows authenticated attackers with high privileges to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests that trigger buffer overflows in the vtysh_ubus binary. The vulnerability affects UR32L routers running vulnerable firmware versions due to unsafe sprintf usage in the set_qos function.

💻 Affected Systems

Products:

Milesight UR32L

Versions: v32.3.0.5 and potentially earlier versions

Operating Systems: Embedded Linux firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have administrative credentials to access the vulnerable HTTP interface.

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, enabling persistent backdoors, data exfiltration, and use as a pivot point into internal networks.

🟠

Likely Case

Privileged attacker gains remote code execution on the router, potentially modifying configurations, intercepting traffic, or disabling network services.

🟢

If Mitigated

With proper network segmentation and privilege restrictions, impact limited to isolated router management interface.

🌐 Internet-Facing: HIGH if management interface exposed to internet, as authenticated attackers can exploit remotely.

🏢 Internal Only: HIGH for internal attackers with administrative credentials, as exploit requires authentication but leads to full compromise.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW for authenticated attackers, as buffer overflow is straightforward once access is obtained.

Exploitation requires administrative credentials to access the vulnerable HTTP endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not publicly available

Restart Required: Yes

Instructions:

1. Check Milesight support for firmware updates. 2. Download latest firmware from vendor portal. 3. Upload firmware via web interface. 4. Apply update and reboot router.

🔧 Temporary Workarounds

Restrict HTTP Management Access

linux

Limit access to router management interface to trusted IP addresses only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Disable HTTP Management

linux

Use HTTPS or SSH for management instead of HTTP if supported.

systemctl stop httpd
update-rc.d httpd disable

🧯 If You Can't Patch

Implement strict network segmentation to isolate UR32L routers from critical assets
Enforce strong authentication and limit administrative accounts to minimum necessary users

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface at System > Status or via CLI with 'cat /etc/version'

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is updated beyond v32.3.0.5 and test HTTP requests to QoS endpoints no longer cause crashes

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to QoS-related endpoints
Process crashes of vtysh_ubus binary
Multiple failed authentication attempts followed by successful login

Network Indicators:

HTTP traffic to router management interface from unexpected sources
Unusual outbound connections from router after management access

SIEM Query:

source="router_logs" AND (uri="/cgi-bin/luci/" AND method="POST" AND data CONTAINS "default_class")

📊 Metadata

CVE ID: CVE-2023-25100

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: July 6, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1716

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25100, you might also want to check these: