CVE-2023-25106 – Multiple buffer overflow vulnerabilities in the... (How to Fix)

Q: What is the severity of CVE-2023-25106?

CVE-2023-25106 has a CVSS score of 7.2 (HIGH). Multiple buffer overflow vulnerabilities in the vtysh_ubus binary of Milesight UR32L routers allow arbitrary code execution via specially crafted HTTP requests. Attackers with high privileges can exploit these vulnerabilities to gain control of affected devices. This affects Milesight UR32L routers running vulnerable firmware versions.

📋 TL;DR

Multiple buffer overflow vulnerabilities in the vtysh_ubus binary of Milesight UR32L routers allow arbitrary code execution via specially crafted HTTP requests. Attackers with high privileges can exploit these vulnerabilities to gain control of affected devices. This affects Milesight UR32L routers running vulnerable firmware versions.

💻 Affected Systems

Products:

Milesight UR32L

Versions: v32.3.0.5 and potentially earlier versions

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have high privileges to send HTTP requests to vulnerable endpoint.

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network pivoting, data exfiltration, and use in botnets or ransomware attacks.

🟠

Likely Case

Privileged attacker gains remote code execution on router, enabling traffic interception, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact due to network segmentation, strict access controls, and monitoring preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of vulnerable endpoint. Technical details are publicly available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Milesight website for security advisories. 2. Download latest firmware if available. 3. Backup configuration. 4. Upload firmware via web interface. 5. Reboot device. 6. Restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate UR32L devices from critical networks and restrict access to management interfaces.

Access Control

all

Implement strict firewall rules to limit HTTP access to UR32L management interface to trusted IPs only.

🧯 If You Can't Patch

Implement network segmentation to isolate UR32L from critical assets
Enable strict logging and monitoring for suspicious HTTP requests to UR32L management interface

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or CLI. If version is v32.3.0.5 or earlier, assume vulnerable.

Check Version:

Check web interface System Status page or use CLI command if available

Verify Fix Applied:

Verify firmware version is updated beyond v32.3.0.5. Check vendor advisory for specific patched version.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to UR32L management interface
Multiple failed authentication attempts followed by successful access
Unexpected process execution or system modifications

Network Indicators:

HTTP traffic to UR32L management interface from unauthorized sources
Unusual outbound connections from UR32L device

SIEM Query:

source_ip=UR32L_IP AND (http_method=POST OR http_method=PUT) AND uri_contains="set_gre" OR process_name="vtysh_ubus" AND event_type="execution"

📊 Metadata

CVE ID: CVE-2023-25106

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: July 6, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1716

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25106, you might also want to check these: