CVE-2023-43261

Name of the Vulnerable Software and Affected Versions Milesight UR5X, UR32L, UR32, UR35, UR41 versions prior to 35.3.0.7

Description An information disclosure issue exists in Milesight routers. This allows attackers to access sensitive router components. Reports indicate that approximately 19,000 Milesight routers with exposed APIs have been identified, with at least 572 publicly accessible without authentication. This has been exploited in real-world attacks, primarily in Europe (Sweden, Italy, Belgium), to send SMS spam containing phishing links. The vulnerability allows attackers to view system logs, locate, and compromise administrator passwords. These compromised credentials can then be used to abuse the router's SMS API to send malicious messages. The API can be exploited due to misconfigurations or the presence of the vulnerability. The attackers are leveraging the SMS notification feature commonly found in industrial routers to send spam messages. Some malicious URLs include JavaScript that checks for mobile access before delivering harmful content. Connections to a Telegram bot named GroozaBot have also been observed. The SMS API is being abused in these attacks.

Recommendations Update Milesight UR5X, UR32L, UR32, UR35, and UR41 routers to version 35.3.0.7 or later. Restrict access to the SMS API to prevent unauthorized use. Ensure proper configuration of the SMS notification feature to prevent abuse. Monitor system logs for suspicious activity. Change default administrator passwords to strong, unique credentials. Disable the SMS notification feature if it is not required.