cbcvebase.
CVE-2023-43261
published 2023-10-04

CVE-2023-43261: An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
60.11%
99.0th percentile
An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.

Affected

5 ranges
VendorProductVersion rangeFixed in
milesightur32_firmware< 35.3.0.735.3.0.7
milesightur32l_firmware< 35.3.0.735.3.0.7
milesightur35_firmware< 35.3.0.735.3.0.7
milesightur41_firmware< 35.3.0.735.3.0.7
milesightur5x_firmware< 35.3.0.735.3.0.7

Detection & IOCsextracted from sources · hover to see the quote

path/lang/log/httpd.log
url/lang/log/httpd.log
path/login.html
otherAES KEY: 1111111111111111
otherAES IV: 2222222222222222
othershodan-query: http.html:rt_title
yara
regex: '"username":"([^"]+)","password":"(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)"'
  • Detect unauthenticated HTTP GET requests to the exposed log file path /lang/log/httpd.log on Milesight routers; a 200 response indicates a vulnerable device leaking credentials.
  • Credential pairs in the log file match the regex pattern '"username":"...","password":"<base64>"'; presence of this pattern in HTTP responses indicates active credential leakage.
  • Passwords in the leaked log are AES-CBC encrypted with hardcoded key '1111111111111111' and IV '2222222222222222'; detection of these constants in JavaScript served by the router confirms the vulnerable firmware.
  • Use Shodan query 'http.html:rt_title' to identify internet-exposed Milesight routers potentially vulnerable to this information disclosure.
  • Directory listing is enabled on vulnerable devices; an unauthenticated browse of /lang/log/ will reveal accessible log files without any authentication challenge.
  • ·The hardcoded AES key and IV are embedded in the router's JavaScript code and are identical across all affected firmware versions prior to v35.3.0.7; any device running older firmware shares these same static cryptographic constants.
  • ·Affected models include UR5X, UR32L, UR32, UR35, UR41, and potentially other Industrial Cellular Routers from Milesight (formerly Xiamen Ursalink Technology Co., Ltd.) running firmware before v35.3.0.7.
  • ·The exploit requires no authentication (PR:N, UI:N per CVSS); the log file at /lang/log/httpd.log is publicly accessible via the router's web interface without any credentials.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.