Login Sign Up

CVE-2023-25583

7.2 HIGH
Remote Code Execution

📋 TL;DR

Two OS command injection vulnerabilities in the zebra vlan_name functionality of Milesight UR32L routers allow remote attackers to execute arbitrary commands via specially crafted network requests. This affects Milesight UR32L routers running vulnerable firmware versions, potentially giving attackers full control over affected devices.

💻 Affected Systems

Products:
  • Milesight UR32L
Versions: v32.3.0.5 and earlier
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when VLAN functionality is exposed to network requests.

📦 What is this software?

Ur32l Firmware by Milesight

View all CVEs affecting Ur32l Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise leading to persistent backdoor installation, lateral movement to internal networks, data exfiltration, and use as a pivot point for further attacks.

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to modify device configuration, intercept network traffic, or use the device as part of a botnet.

🟢

If Mitigated

Limited impact if network segmentation prevents access to vulnerable interfaces and strict firewall rules block external requests.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to the vulnerable interface but no authentication. Public exploit details available in Talos reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check with Milesight for latest firmware

Vendor Advisory: https://www.milesight.com/support/security-advisory/

Restart Required: Yes

Instructions:

1. Check current firmware version. 2. Download latest firmware from Milesight support portal. 3. Upload firmware via web interface. 4. Apply update and restart device.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate UR32L devices from untrusted networks and restrict access to management interfaces

Firewall Rules

linux

Block external access to vulnerable VLAN configuration endpoints

iptables -A INPUT -p tcp --dport [management-port] -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate UR32L devices
  • Deploy network-based intrusion detection to monitor for exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or SSH: cat /etc/version

Check Version:

cat /etc/version

Verify Fix Applied:

Verify firmware version is newer than v32.3.0.5 and test VLAN configuration functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual VLAN configuration requests
  • Command execution patterns in system logs
  • Unexpected process creation

Network Indicators:

  • Malformed VLAN configuration packets
  • Unusual outbound connections from UR32L
  • Exploit pattern matching in network traffic

SIEM Query:

source="ur32l" AND (event="vlan_config" OR event="command_exec")

📊 Metadata

CVE ID: CVE-2023-25583
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: July 6, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-25583, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)