CVE-2023-25582

Name of the Vulnerable Software and Affected Versions Milesight UR32L version 32.3.0.5

Description Two OS command injection vulnerabilities exist in the zebra vlan name functionality. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities. This command injection is in the code branch that manages an already existing vlan configuration.

Recommendations For Milesight UR32L version 32.3.0.5, consider disabling the zebra vlan name functionality until a patch is available to prevent command execution. Restrict access to the vlan configuration management code branch to minimize the risk of exploitation. Avoid using the vulnerable code branch to manage existing vlan configurations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.