PT-2023-18608 · Milesight · Milesight Ur32L

Francesco Benvenuto

Published

2023-07-06

Updated

2023-07-13

CVE-2023-22659

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Milesight UR32L version 32.3.0.5

Description An os command injection issue exists in the libzebra.so change hostname functionality. A specially-crafted network packet can lead to command execution. An attacker can send a sequence of requests to trigger this issue.

Recommendations For Milesight UR32L version 32.3.0.5, consider disabling the change hostname functionality in libzebra.so until a patch is available to prevent potential command execution. Restrict access to the network to minimize the risk of exploitation.

Exploit

Fix

OS Command Injection

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78CWE-77

Related Identifiers

CVE-2023-22659

Affected Products

Milesight Ur32L

PT-2023-18608 · Milesight · Milesight Ur32L

CVE-2023-22659

Weakness Enumeration

Related Identifiers

Affected Products

References · 4