CVE-2023-25122 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2023-25122?

CVE-2023-25122 has a CVSS score of 7.2 (HIGH). This vulnerability allows authenticated attackers with high privileges to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests that trigger buffer overflows in the vtysh_ubus binary. The exploit occurs in the set_openvpn_client function due to unsafe sprintf usage with old_remote_subnet and old_remote_mask variables. Only Milesight UR32L routers running vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows authenticated attackers with high privileges to execute arbitrary code on Milesight UR32L routers by sending specially crafted HTTP requests that trigger buffer overflows in the vtysh_ubus binary. The exploit occurs in the set_openvpn_client function due to unsafe sprintf usage with old_remote_subnet and old_remote_mask variables. Only Milesight UR32L routers running vulnerable firmware are affected.

💻 Affected Systems

Products:

Milesight UR32L

Versions: v32.3.0.5

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have high privileges (authenticated access) to exploit. The vtysh_ubus binary must be accessible via HTTP requests.

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level arbitrary code execution, enabling persistent backdoor installation, network traffic interception, and lateral movement to other devices.

🟠

Likely Case

Privilege escalation leading to router configuration modification, credential theft, and network disruption through service manipulation.

🟢

If Mitigated

Limited impact due to authentication requirements and network segmentation preventing widespread damage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authentication with high privileges and specific knowledge of the vulnerable function parameters. No public exploit code has been released as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: Yes

Instructions:

1. Check Milesight website for security advisories. 2. If patch available, download firmware update. 3. Backup current configuration. 4. Upload and apply firmware update via web interface. 5. Reboot router. 6. Verify version update.

🔧 Temporary Workarounds

Network Segmentation

linux

Isolate UR32L routers from untrusted networks and restrict HTTP access to trusted management IPs only.

iptables -A INPUT -p tcp --dport 80 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Privilege Reduction

linux

Implement least privilege access controls and remove unnecessary administrative accounts.

userdel unnecessary_admin
passwd -l default_admin

🧯 If You Can't Patch

Implement strict network access controls to limit HTTP access to the router's management interface
Monitor for unusual HTTP requests to vtysh_ubus endpoints and implement intrusion detection

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: cat /etc/version | grep 32.3.0.5

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is no longer v32.3.0.5 and check for updated security patches in release notes

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP POST requests to vtysh_ubus endpoints
Multiple failed authentication attempts followed by successful high-privilege access
Process crashes or abnormal restarts of vtysh_ubus service

Network Indicators:

HTTP traffic containing old_remote_subnet or old_remote_mask parameters in requests
Unusual outbound connections from router to external IPs

SIEM Query:

source="router_logs" AND (uri="*vtysh_ubus*" AND (param="*old_remote_subnet*" OR param="*old_remote_mask*"))

📊 Metadata

CVE ID: CVE-2023-25122

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: July 6, 2023

Last Updated: November 4, 2025

🔗 References

https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://talosintelligence.com/vulnerability_reports/TALOS-2023-1716 Exploit,Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1716

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25122, you might also want to check these: