CVE-2023-24583: Command Injection
First published: Thu Jul 06 2023(Updated: )
Two OS command injection vulnerabilities exist in the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5. A specially crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger these vulnerabilities.This OS command injection is triggered through a UDP packet.
Credit: talos-cna@cisco.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Milesight UR-32L | =32.3.0.5 | |
| Milesight UR-32L |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the vulnerability ID for this OS command injection vulnerability?
The vulnerability ID for this OS command injection vulnerability is CVE-2023-24583.
What is the affected software?
The affected software is Milesight UR32L v32.3.0.5 firmware.
How severe is this vulnerability?
This vulnerability has a severity rating of 8.8 (high).
How can this vulnerability be exploited?
This vulnerability can be exploited by sending a specially crafted network request to the urvpn_client cmd_name_action functionality of Milesight UR32L v32.3.0.5, allowing arbitrary command execution.
Is there a fix available?
It is recommended to update to a fixed version of Milesight UR32L firmware to mitigate this vulnerability.
- agent/weakness
- agent/type
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/milesight
- canonical/milesight ur-32l
- version/milesight ur-32l/32.3.0.5