Milesight industrial router vulnerabilities discovered

Sixty-three security vulnerabilities have been identified by Cisco Talos in Milesight's UR32L industrial routers, SecurityWeek reports. Attackers could leverage the most severe of the discovered flaws, tracked as CVE-2023-23902, to conduct network request-facilitated remote code execution attacks, according to Cisco Talos researchers. Most of the other high-severity bugs impacting the routers could also be exploited to achieve arbitrary code or command execution. Researchers have also discovered vulnerabilities in the MileSightVPN app, which could be used for command execution, authentication evasion, arbitrary file reading, and arbitrary JavaScript code injections. While MileSightVPN has been offered to better protect the UR32L routers from attacks, exploitation of both products' vulnerabilities could be done in a single attack campaign. Meanwhile, Milesight assured the safety of its UR32L routers. "We had solved some obstacles encountered in some areas, and met the disclosure requirements requested by some clients in some regulatory areas. Also, the new firmware version has already been tested by Talos and our support team is working together with them," said Milesight.