Oct 01, 2025Ravie LakshmananVulnerability / Malware
Unknown menace actors are abusing Milesight industrial mobile routers to ship SMS messages as a part of a smishing marketing campaign concentrating on customers in European nations since not less than February 2022.
French cybersecurity firm SEKOIA mentioned the attackers are exploiting the mobile router’s API to ship malicious SMS messages containing phishing URLs, with the campaigns primarily concentrating on Sweden, Italy, and Belgium utilizing typosquatted URLs that impersonate authorities platforms like CSAM and eBox, in addition to banking, postal, and telecom suppliers.
Of the 18,000 routers of this sort accessible on the general public web, at least 572 are assessed to be doubtlessly susceptible on account of their exposing the inbox/outbox APIs. About half of the recognized susceptible routers are positioned in Europe.
“Furthermore, the API allows retrieval of each incoming and outgoing SMS messages, which signifies that the vulnerability has been actively exploited to disseminate malicious SMS campaigns since not less than February 2022,” the corporate mentioned. “There isn’t any proof of any try to put in backdoors or exploit different vulnerabilities on the system. This implies a focused method, aligned particularly with the attacker’s smishing operations.”
It is believed the attackers are exploiting a now-patched info disclosure flaw impacting Milesight routers (CVE-2023-43261, CVSS rating: 7.5), which was disclosed by safety researcher Bipin Jitiya precisely two years in the past. Weeks later, VulnCheck revealed that the vulnerability might have been weaponized within the wild shortly following public disclosure.
Additional investigation has revealed that a few of the industrial routers expose SMS-related options, together with sending messages or viewing SMS historical past, with out requiring any type of authentication.
The assaults doubtless contain an preliminary validation part the place the menace actors try to confirm whether or not a given router can ship SMS messages by concentrating on a telephone quantity below their management. SEKOIA additional famous that the API may be publicly accessible on account of misconfigurations, provided that a few routers have been discovered working more moderen firmware variations that aren’t vulnerable to CVE-2023-43261.
The phishing URLs distributed utilizing this technique embody JavaScript that checks whether or not the web page is being accessed from a cell system earlier than serving the malicious content material, which, in flip, urges customers to replace their banking info for purported reimbursement.
What’s extra, one of many domains used within the campaigns between January and April 2025 – jnsi[.]xyz – function JavaScript code to disable right-click actions and browser debugging instruments in an try to hinder evaluation efforts. A few of the pages have additionally been discovered to log customer connections to a Telegram bot named GroozaBot, which is operated by an actor named “Gro_oza,” who seems to talk each Arabic and French.
“The smishing campaigns seem to have been carried out by the exploitation of susceptible mobile routers – a comparatively unsophisticated, but efficient, supply vector,” SEKOIA mentioned. “These units are significantly interesting to menace actors as they allow decentralised SMS distribution throughout a number of nations, complicating each detection and takedown efforts.”
