CVE-2023-25116 – Multiple buffer overflow vulnerabilities in the... (How to Fix)

Q: What is the severity of CVE-2023-25116?

CVE-2023-25116 has a CVSS score of 7.2 (HIGH). Multiple buffer overflow vulnerabilities in the vtysh_ubus binary of Milesight UR32L routers allow arbitrary code execution via specially crafted HTTP requests. Attackers with high privileges can exploit these vulnerabilities to gain control of affected devices. This affects Milesight UR32L routers running vulnerable firmware versions.

📋 TL;DR

Multiple buffer overflow vulnerabilities in the vtysh_ubus binary of Milesight UR32L routers allow arbitrary code execution via specially crafted HTTP requests. Attackers with high privileges can exploit these vulnerabilities to gain control of affected devices. This affects Milesight UR32L routers running vulnerable firmware versions.

💻 Affected Systems

Products:

Milesight UR32L

Versions: v32.3.0.5 and possibly earlier versions

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker with high privileges; vulnerable function is set_openvpn_client with local_virtual_ip and remote_virtual_ip variables

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, network pivoting, data exfiltration, and use as attack platform

🟠

Likely Case

Privileged attacker gains remote code execution to modify configurations, intercept traffic, or disrupt network services

🟢

If Mitigated

Attack fails due to proper network segmentation, privilege restrictions, or exploit mitigations

🌐 Internet-Facing: HIGH - HTTP interface may be exposed to internet, allowing remote exploitation

🏢 Internal Only: HIGH - Even internally, privileged attackers can exploit via HTTP requests

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires high privileges; exploitation involves crafting specific HTTP requests to trigger buffer overflow in vtysh_ubus binary

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with Milesight for latest firmware

Vendor Advisory: https://www.milesight.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Check Milesight security advisory for patch availability 2. Download latest firmware from vendor portal 3. Backup current configuration 4. Upload and apply firmware update 5. Verify successful update and functionality

🔧 Temporary Workarounds

Network Segmentation

linux

Isolate UR32L devices from untrusted networks and restrict HTTP access

iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Privilege Restriction

all

Limit administrative access to only necessary personnel and implement strong authentication

🧯 If You Can't Patch

Implement strict network access controls to limit HTTP interface exposure
Monitor for suspicious HTTP requests to vtysh_ubus endpoints and implement intrusion detection

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or CLI; if version is v32.3.0.5 or earlier, assume vulnerable

Check Version:

Check web interface System Status or use vendor-specific CLI commands

Verify Fix Applied:

Verify firmware version has been updated beyond v32.3.0.5 and test OpenVPN client functionality

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to vtysh_ubus endpoints
Multiple failed authentication attempts followed by successful privileged access
Unexpected process creation or system modifications

Network Indicators:

HTTP POST requests with unusually long parameters to router management interface
Traffic patterns suggesting buffer overflow attempts

SIEM Query:

source="router_logs" AND (uri="*vtysh_ubus*" AND (param_length>1000 OR contains(param,"local_virtual_ip") OR contains(param,"remote_virtual_ip")))

📊 Metadata

CVE ID: CVE-2023-25116

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: July 6, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1716

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25116, you might also want to check these: