Exploited Routers: Flaw in Milesight Industrial Devices Used for Mass Smishing in Europe

The French cybersecurity firm SEKOIA has uncovered a smishing campaign in which attackers exploit vulnerabilities in Milesight industrial 4G/5G routers to distribute phishing SMS messages across several European countries. According to the report, adversaries leveraged the devices’ APIs — which allow the sending and viewing of messages — and, since February 2022, used these routers to launch targeted phishing campaigns with fraudulent links impersonating government services and banking portals. The attacks primarily affected Sweden, Italy, and Belgium.

The investigation revealed that of roughly 18,000 Milesight devices accessible from the internet, at least 572 exposed their SMS APIs without requiring authentication; nearly half of these routers were located in Europe. SEKOIA attributes the exploitation to a known vulnerability tracked as CVE-2023-43261. The attackers combined both a direct exploit and configuration errors — some routers running newer firmware were not vulnerable, suggesting a blend of exploitation techniques and misconfigurations.

The attack chain was deceptively simple yet effective: first, adversaries tested SMS delivery by sending trial messages to a controlled number, and once successful, they launched large-scale campaigns through distributed routers, making detection and blocking far more difficult.

The phishing pages linked within the messages contained JavaScript checks to detect mobile browsers, accompanied by prompts instructing users to update their banking credentials under the guise of compensation claims. One of the domains used in 2025 incorporated scripts designed to disable right-click menus and debugging tools, while also logging visits to a Telegram bot named GroozaBot, operated by a user going by “Gro_oza,” who, based on collected evidence, communicated in both Arabic and French.

SEKOIA notes that no attempts were observed to install persistent backdoors or escalate access further — the attack vector remained narrowly focused on phishing delivery via SMS.

The findings underscore the appeal of industrial routers for such campaigns, as they enable decentralized distribution across multiple countries and operators, complicating rapid response efforts.

Recommended defenses include updating firmware, restricting access to management interfaces from the internet, and disabling SMS functionality on devices where it is not required.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy