CVE-2023-25102 – This vulnerability allows attackers with high p... (How to Fix)

Q: What is the severity of CVE-2023-25102?

CVE-2023-25102 has a CVSS score of 7.2 (HIGH). This vulnerability allows attackers with high privileges to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests that trigger buffer overflows in the vtysh_ubus binary. It affects users of the UR32L router running version v32.3.0.5, potentially leading to full system compromise.

📋 TL;DR

This vulnerability allows attackers with high privileges to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests that trigger buffer overflows in the vtysh_ubus binary. It affects users of the UR32L router running version v32.3.0.5, potentially leading to full system compromise.

💻 Affected Systems

Products:

Milesight UR32L

Versions: v32.3.0.5

Operating Systems: Embedded Linux-based firmware

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the vtysh_ubus binary and requires high privileges to trigger via HTTP requests.

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains full remote control of the router, enabling data theft, network disruption, or use as a pivot point for further attacks.

🟠

Likely Case

Privileged attackers exploit the vulnerability to execute arbitrary commands, potentially modifying router configurations or installing malware.

🟢

If Mitigated

With proper access controls and network segmentation, impact is limited to isolated router compromise without broader network access.

🌐 Internet-Facing: HIGH if the router's web interface is exposed to the internet, as it allows remote exploitation via HTTP requests.

🏢 Internal Only: MEDIUM for internal networks, as attackers would need high privileges and network access, but insider threats or compromised accounts could exploit it.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires high privileges and crafting specific HTTP requests; no public proof-of-concept is known as of the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No vendor advisory URL provided in the references.

Restart Required: No

Instructions:

Check the Milesight vendor website for firmware updates addressing CVE-2023-25102 and apply the latest patch if available.

🔧 Temporary Workarounds

Restrict HTTP Access

all

Limit HTTP access to the router's management interface to trusted IP addresses only.

Use firewall rules to block external HTTP access to the router (e.g., iptables -A INPUT -p tcp --dport 80 -j DROP for Linux-based systems).

🧯 If You Can't Patch

Isolate the router in a segmented network to limit potential lateral movement.
Monitor for unusual HTTP requests or privilege escalation attempts on the router.

🔍 How to Verify

Check if Vulnerable:

Check the router firmware version via the web interface or CLI; if it is v32.3.0.5, it is vulnerable.

Check Version:

In the router CLI, run 'show version' or check the web interface under System > Firmware.

Verify Fix Applied:

After updating, verify the firmware version is no longer v32.3.0.5 and test for buffer overflow via controlled HTTP requests.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to router endpoints, especially with long parameters in hub_ip or hub_gre_ip fields.

Network Indicators:

Spikes in HTTP traffic to the router's management IP on port 80 or 443.

SIEM Query:

Example: 'source_ip=router_management_ip AND http_method=POST AND (uri CONTAINS "set_dmvpn" OR user_agent="malicious")'

📊 Metadata

CVE ID: CVE-2023-25102

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: July 6, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1716

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25102, you might also want to check these: