Milesight Industrial Router Faces Multiple RCE Vulnerabilities: Cisco Talos Report

August 3, 2023

Cisco Talos has issued a warning about numerous vulnerabilities present in the Milesight UR32L industrial router. These vulnerabilities could potentially be exploited to execute arbitrary code or commands. The UR32L router, which provides WCDMA and 4G LTE support, Ethernet ports, and remote device management, is a cost-effective solution for a wide array of M2M/IoT applications.

During their analysis of the UR32L router and MilesightVPN, the accompanying remote access solution, Talos reported over 20 vulnerabilities, resulting in 69 CVEs. Out of these, 63 directly affect the industrial router. The most severe vulnerability identified is CVE-2023-23902, which has a CVSS score of 9.8. This vulnerability is a buffer overflow in the router's HTTP server login functionality, which could lead to remote code execution (RCE) via network requests. “This is the most severe vulnerability found on the router. Indeed, it is a pre-authentication remote stack-based buffer overflow. An unauthenticated attacker able to communicate with the HTTP server would be able to perform remote command execution,” Talos explains.

Except for two bugs, the remaining vulnerabilities affecting the UR32L router are high-severity flaws, most of which could lead to arbitrary code execution or command execution. The vulnerabilities affecting the MilesightVPN application, according to Talos, can be exploited to execute commands, read arbitrary files, bypass authentication, and inject arbitrary Javascript code. The vendor offers MilesightVPN as a means to ensure that the UR32L router is not exposed to the internet, thereby reducing the attack surface. However, Talos indicates that an attacker could exploit an authentication bypass in the VPN software (tracked as CVE-2023-22319) and then execute arbitrary code on the device by exploiting CVE-2023-23902.

Talos also points out that these vulnerabilities were reported to the vendor in February 2023, but no software update has been released to address them. Milesight has been contacted for a statement on this matter. These flaws in the Milesight router were discovered as part of a larger research initiative focused on SOHO router bugs, which has uncovered 289 vulnerabilities over five years. This research was initiated by the discovery of the VPNFilter malware in 2018, and has also identified issues in router models from various manufacturers, as well as in OpenWrt, FreshTomato, Asuswrt, and NetUSB.ko. However, apart from the Milesight vulnerabilities, the rest of the identified security defects were publicly disclosed between 2018 and 2022.

Latest News

• Top Exploited Cybersecurity Vulnerabilities of 2022 Unveiled by FBI, CISA, and NSA
• Ivanti Reveals Critical Authentication Bypass Vulnerability in MobileIron Core
• Ongoing Attacks Breach Over 640 Citrix Servers Exploiting Critical RCE Vulnerability
• Critical Security Flaw Discovered in Stripe Payment Plugin for WooCommerce
• CISA Catalog Includes Second Actively Exploited Ivanti EPMM Flaw