CVE-2023-24582

Name of the Vulnerable Software and Affected Versions Milesight UR32L version 32.3.0.5

Description The issue is related to OS command injection vulnerabilities in the urvpn client cmd name action functionality. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities, which are triggered through a TCP packet.

Recommendations For Milesight UR32L version 32.3.0.5, consider restricting access to the urvpn client cmd name action functionality until a patch is available. As a temporary workaround, disabling the functionality that allows arbitrary command execution through TCP packets may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.