CVE-2023-25583

Name of the Vulnerable Software and Affected Versions Milesight UR32L version 32.3.0.5

Description Two OS command injection vulnerabilities exist in the zebra vlan name functionality. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger these vulnerabilities. This command injection is in the code branch that manages a new vlan configuration.

Recommendations For Milesight UR32L version 32.3.0.5, consider disabling the vlan name functionality in the zebra code branch until a patch is available. Restrict access to the network to minimize the risk of exploitation. Avoid using the vulnerable code branch to manage new vlan configurations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.