CVE-2023-43261

HIGH EXPLOITED NUCLEI

Milesight <v35.3.0.7 - Info Disclosure

Title source: llm

Exploitation Summary

CVE-2023-43261 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including win3zz, dyeat. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2023-43261 by retrieving unprotected log files from Milesight IoT routers and decrypting hardcoded AES-encrypted credentials. The script demonstrates the vulnerability by extracting and decrypting usernames and passwords from exposed logs.

Description

An information disclosure in Milesight UR5X, UR32L, UR32, UR35, UR41 before v35.3.0.7 allows attackers to access sensitive router components.

Exploits (2)

nomisec WORKING POC 57 stars

by win3zz · infoleak

https://github.com/win3zz/CVE-2023-43261

View Code ZIP pw:eip

This repository contains a functional Python script that exploits CVE-2023-43261 by retrieving unprotected log files from Milesight IoT routers and decrypting hardcoded AES-encrypted credentials. The script demonstrates the vulnerability by extracting and decrypting usernames and passwords from exposed logs.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Milesight IoT Industrial Cellular Routers (UR5X, UR32L, UR32, UR35, UR41) with firmware versions prior to v35.3.0.7

No auth needed

Prerequisites: Network access to the target router's web interface · Exposed /lang/log/httpd.log endpoint

MITRE ATT&CK

T1552.001 - Credentials In Files T1552.003 - Shell History T1552.004 - Private Keys

devstral-2 · analyzed Feb 18, 2026 Full analysis →

github WORKING POC

by dyeat · pythonpoc

https://github.com/dyeat/cve-reproduction/tree/main/Milesight/IoT-Router/CVE-2023-43261

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-43261, which targets a credential leakage vulnerability in Milesight IoT Routers. The exploit retrieves and decrypts credentials from an exposed log file using a hardcoded AES key and IV.

Classification

Working Poc 95%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Milesight IoT Router (version not specified)

No auth needed

Prerequisites: Network access to the target router · Exposed '/lang/log/httpd.log' endpoint

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed May 22, 2026 Full analysis →

Nuclei Templates (1)

Milesight Routers - Information Disclosure

HIGHVERIFIEDby gy741

Shodan: http.html:rt_title

References (6)

Core 6

Core References

Product

http://milesight.com

Broken Link, Not Applicable

http://ur5x.com

Exploit, Third Party Advisory

https://github.com/win3zz/CVE-2023-43261

Product

https://support.milesight-iot.com/support/home

Various Sources

https://medium.com/%40win3zz/inside-the-router-how-i-accessed-industrial-routers-and-reported-the-flaws-29c34213dfdf

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/176988/Milesight-UR5X-UR32L-UR32-UR35-UR41-Credential-Leakage.html

Scores

CVSS v3 7.5

EPSS 0.9314

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

VulnCheck KEV 2023-10-13

CWE

CWE-532

Status published

Products (5)

milesight/ur32_firmware < 35.3.0.7

milesight/ur32l_firmware < 35.3.0.7

milesight/ur35_firmware < 35.3.0.7

milesight/ur41_firmware < 35.3.0.7

milesight/ur5x_firmware < 35.3.0.7

Published Oct 04, 2023

Tracked Since Feb 18, 2026