CVE-2023-43261
published 2023-10-04CVE-2023-43261: An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
60.11%
99.0th percentile
An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| milesight | ur32_firmware | < 35.3.0.7 | 35.3.0.7 |
| milesight | ur32l_firmware | < 35.3.0.7 | 35.3.0.7 |
| milesight | ur35_firmware | < 35.3.0.7 | 35.3.0.7 |
| milesight | ur41_firmware | < 35.3.0.7 | 35.3.0.7 |
| milesight | ur5x_firmware | < 35.3.0.7 | 35.3.0.7 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex: '"username":"([^"]+)","password":"(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)"'- →Detect unauthenticated HTTP GET requests to the exposed log file path /lang/log/httpd.log on Milesight routers; a 200 response indicates a vulnerable device leaking credentials. ↗
- →Credential pairs in the log file match the regex pattern '"username":"...","password":"<base64>"'; presence of this pattern in HTTP responses indicates active credential leakage. ↗
- →Passwords in the leaked log are AES-CBC encrypted with hardcoded key '1111111111111111' and IV '2222222222222222'; detection of these constants in JavaScript served by the router confirms the vulnerable firmware. ↗
- →Use Shodan query 'http.html:rt_title' to identify internet-exposed Milesight routers potentially vulnerable to this information disclosure. ↗
- →Directory listing is enabled on vulnerable devices; an unauthenticated browse of /lang/log/ will reveal accessible log files without any authentication challenge. ↗
- ·The hardcoded AES key and IV are embedded in the router's JavaScript code and are identical across all affected firmware versions prior to v35.3.0.7; any device running older firmware shares these same static cryptographic constants. ↗
- ·Affected models include UR5X, UR32L, UR32, UR35, UR41, and potentially other Industrial Cellular Routers from Milesight (formerly Xiamen Ursalink Technology Co., Ltd.) running firmware before v35.3.0.7. ↗
- ·The exploit requires no authentication (PR:N, UI:N per CVSS); the log file at /lang/log/httpd.log is publicly accessible via the router's web interface without any credentials. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3r5f-38cp-r8x3: An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35
ghsa_unreviewed·2023-10-04
CVE-2023-43261 [HIGH] CWE-532 GHSA-3r5f-38cp-r8x3: An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35
An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.
VulnCheck
milesight ur5x_firmware Insertion of Sensitive Information into Log File
vulncheck·2023·CVSS 7.5
CVE-2023-43261 [HIGH] milesight ur5x_firmware Insertion of Sensitive Information into Log File
milesight ur5x_firmware Insertion of Sensitive Information into Log File
An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.
Affected: milesight ur5x_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://vulncheck.com/blog/real-world-cve-2023-43261; https://filestore.fortinet.com/fortiguard/outbreak_alert/Outbreak_Alerts-Annual_Report_2023.pdf; https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/cellular-iot-vulnerabilities-another-door-to-cellular-networks; https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitatio
VulnCheck
Sunhillo SureLine OS Command Injection Vulnerablity
vulncheck·2021·CVSS 9.8
CVE-2021-36380 [CRITICAL] CWE-78 Sunhillo SureLine OS Command Injection Vulnerablity
Sunhillo SureLine OS Command Injection Vulnerablity
Sunhillo SureLine contains an OS command injection vulnerability that allows an attacker to cause a denial-of-service or utilize the device for persistence on the network via shell metacharacters in ipAddr or dnsAddr in /cgi/networkDiag.cgi.
Affected: Sunhillo SureLine
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits; https://vulncheck.com/blog/real-world-cve-2023-43261; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-17&host_type=src&vulnerability=cve-2021-36380; https://dashboard.shadowserver.org
No detection rules found.
Exploit-DB
Milesight Routers UR5X_ UR32L_ UR32_ UR35_ UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption
exploitdb·2024-02-05·CVSS 7.5
CVE-2023-43261 [HIGH] Milesight Routers UR5X_ UR32L_ UR32_ UR35_ UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption
Milesight Routers UR5X_ UR32L_ UR32_ UR35_ UR41 - Credential Leakage Through Unprotected System Logs and Weak Password Encryption
---
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Title: Credential Leakage Through Unprotected System Logs and Weak Password Encryption
CVE: CVE-2023-43261
Script Author: Bipin Jitiya (@win3zz)
Vendor: Milesight IoT - https://www.milesight-iot.com/ (Formerly Xiamen Ursalink Technology Co., Ltd.)
Software/Hardware: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Router could also be vulnerable.
Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10
Writeup: https://medium.com/@win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf
"""
import sys
import requests
import re
import warnings
Nuclei
Milesight Routers - Information Disclosure
nuclei·CVSS 7.5
CVE-2023-43261 [HIGH] Milesight Routers - Information Disclosure
Milesight Routers - Information Disclosure
A critical security vulnerability has been identified in Milesight Industrial Cellular Routers, compromising the security of sensitive credentials and permitting unauthorized access. This vulnerability stems from a misconfiguration that results in directory listing being enabled on the router systems, rendering log files publicly accessible. These log files, while containing sensitive information such as admin and other user passwords (encrypted as a security measure), can be exploited by attackers via the router's web interface. The presence of a hardcoded AES secret key and initialization vector (IV) in the JavaScript code further exacerbates the situation, facilitating the decryption of these passwords. This chain of vulnerabilities allows mal
http://milesight.comhttp://packetstormsecurity.com/files/176988/Milesight-UR5X-UR32L-UR32-UR35-UR41-Credential-Leakage.htmlhttp://ur5x.comhttps://github.com/win3zz/CVE-2023-43261https://medium.com/%40win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdfhttps://support.milesight-iot.com/support/homehttp://milesight.comhttp://packetstormsecurity.com/files/176988/Milesight-UR5X-UR32L-UR32-UR35-UR41-Credential-Leakage.htmlhttp://ur5x.comhttps://github.com/win3zz/CVE-2023-43261https://medium.com/%40win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdfhttps://support.milesight-iot.com/support/home
2023-10-04
Published
Exploited in the wild