CVE-2023-25118 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-25118?

CVE-2023-25118 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated attackers with high privileges to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests. The buffer overflow occurs in the vtysh_ubus binary when processing OpenVPN client credentials. Only Milesight UR32L routers running vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows authenticated attackers with high privileges to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests. The buffer overflow occurs in the vtysh_ubus binary when processing OpenVPN client credentials. Only Milesight UR32L routers running vulnerable firmware are affected.

💻 Affected Systems

Products:

Milesight UR32L

Versions: v32.3.0.5 and possibly earlier versions

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have high privileges (admin/root access) to exploit via HTTP requests.

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install persistent backdoors, pivot to internal networks, or disrupt critical infrastructure.

🟠

Likely Case

Attacker gains root access to the router, enabling network traffic interception, credential theft, and lateral movement.

🟢

If Mitigated

Limited impact if proper network segmentation and privilege controls prevent attackers from reaching the vulnerable interface.

🌐 Internet-Facing: HIGH - HTTP interface may be exposed to internet, allowing remote exploitation if accessible.

🏢 Internal Only: HIGH - Even internal attackers with high privileges can exploit this for complete system control.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Once authenticated with high privileges, exploitation is straightforward.

Exploitation requires high privilege access, but the vulnerability itself is simple buffer overflow from unsafe sprintf usage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Milesight website for firmware updates. 2. Download latest firmware. 3. Upload via web interface. 4. Reboot router.

🔧 Temporary Workarounds

Disable OpenVPN Client Feature

linux

Remove or disable OpenVPN client functionality to prevent exploitation via vulnerable set_openvpn_client function.

# Disable OpenVPN client via web interface or CLI
# No specific commands available - use administrative interface

Restrict HTTP Access

linux

Limit HTTP interface access to trusted networks only using firewall rules.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate UR32L routers from untrusted networks.
Enforce principle of least privilege - ensure no users have unnecessary high privileges on the router.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Status) or SSH command 'cat /etc/version' for v32.3.0.5 or earlier.

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is updated beyond v32.3.0.5 and test OpenVPN client functionality with malformed inputs.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to OpenVPN configuration endpoints
Multiple failed authentication attempts followed by successful high-privilege access
Process crashes in vtysh_ubus binary

Network Indicators:

HTTP POST requests with unusually long username/password parameters to router management interface
Traffic patterns suggesting buffer overflow exploitation

SIEM Query:

source="router_logs" AND (http_uri="*openvpn*" AND (param_length>100 OR process="vtysh_ubus" AND event="crash"))

📊 Metadata

CVE ID: CVE-2023-25118

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: July 6, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1716

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25118, you might also want to check these: