Executive Summary
In early 2025, unidentified threat actors exploited vulnerabilities in Milesight industrial cellular routers to launch a large-scale smishing campaign across Europe. By abusing the routers’ publicly exposed APIs, attackers sent malicious SMS messages containing phishing URLs directly to mobile users in countries including Sweden and Italy. This campaign has been ongoing since at least February 2022, with attackers leveraging compromised infrastructure to bypass traditional security filters, resulting in widespread delivery of credential-theft links and potential downstream attacks.
This incident highlights the increasing trend of attackers targeting edge infrastructure and IoT devices to amplify their phishing and malware operations. As threat actors shift tactics toward abusing legitimate network equipment, organizations face new regulatory and operational risks, with urgent need to secure device APIs, implement segmentation, and strengthen monitoring to counter evolving smishing threats.
Why This Matters Now
The exploitation of industrial routers for targeted phishing demonstrates a critical blind spot in infrastructure security, emphasizing the urgent need to address device and API vulnerabilities before attackers can weaponize broadly deployed equipment for large-scale, hard-to-detect campaigns.
Attack Path Analysis
Attackers initially exploited exposed or insufficiently protected Milesight router APIs to gain unauthorized access. After gaining initial access, they leveraged this foothold to escalate privileges, likely to administrative API functions. They then pivoted within the device or connected networks, positioning themselves to control SMS functions. Establishing command and control through ongoing API abuse, attackers sent crafted SMS phishing messages to European users. Sensitive information and control were exfiltrated as the attack facilitated delivery of malicious links and potential harvesting of user data. The impact was widespread smishing, leading to potential credential theft and exposure of numerous European end users to phishing attacks.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited vulnerable or exposed Milesight router APIs to gain initial access to the management interface.
Related CVEs
CVE-2023-43261
CVSS 7.5An information disclosure vulnerability in Milesight industrial cellular routers allows unauthenticated remote attackers to access sensitive system logs, potentially leading to unauthorized access and control over the device.
Affected Products:
Milesight UR5X – < 35.3.0.7
Milesight UR32L – < 35.3.0.7
Milesight UR32 – < 35.3.0.7
Milesight UR35 – < 35.3.0.7
Milesight UR41 – < 35.3.0.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exfiltration Over Alternative Protocol
Phishing: Spearphishing via Service
Valid Accounts
Remote Services: Remote Access Tools
Exploitation of Remote Services
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Access Control for Systems
Control ID: 8.3.1
NIS2 Directive – Network and Information System Security
Control ID: Article 21(2)(d)
GDPR – Security of Processing
Control ID: Article 32
CISA ZTMM 2.0 – Device Authentication and Access Management
Control ID: Identity Pillar: Device Security
DORA – ICT Risk Management Requirements
Control ID: Article 6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Critical infrastructure compromise through exploited Milesight routers enables mass SMS phishing campaigns, requiring immediate zero trust segmentation and egress security measures.
Industrial Automation
Industrial cellular routers vulnerable to API exploitation for smishing attacks demand enhanced threat detection, anomaly response systems, and secure hybrid connectivity protocols.
Utilities
Infrastructure compromise targeting industrial routers poses operational risks requiring multicloud visibility, encrypted traffic controls, and inline intrusion prevention across critical systems.
Manufacturing
Cellular router exploitation threatens industrial communications networks, necessitating east-west traffic security, threat detection capabilities, and cloud native security fabric implementation.
Sources
- Hackers Exploit Milesight Routers to Send Phishing SMS to European Usershttps://thehackernews.com/2025/10/hackers-exploit-milesight-routers-to.htmlVerified
- Silent Smishing: The Hidden Abuse of Cellular Router APIshttps://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/Verified
- Milesight Industrial Router Vulnerability Possibly Exploited in Attackshttps://www.securityweek.com/milesight-industrial-router-vulnerability-possibly-exploited-in-attacks/Verified
- Milesight Security Vulnerability Managementhttps://www.milesight.com/resources/support/security-vulnerability-managementVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, strong east-west traffic controls, inline IPS, and egress enforcement provided by CNSF-aligned controls could have prevented unauthorized access to the routers, detected abuse of internal APIs, and blocked malicious outbound SMS and data transfers.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized lateral access to networked infrastructure and APIs.
Control: East-West Traffic Security
Mitigation: Detects and blocks abnormal privilege escalation or management traffic within infrastructure.
Control: Multicloud Visibility & Control
Mitigation: Enables real-time detection of suspicious lateral movement attempts.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks malicious or anomalous API call patterns characteristic of C2 activity.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks or flags unauthorized outbound data or exfiltration channels.
Rapid detection of anomalous SMS sending volumes and incident response automation limits scope.
Impact at a Glance
Affected Business Functions
- Network Operations
- Industrial Control Systems
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive system logs and administrator credentials, leading to unauthorized access and control over industrial routers.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation to restrict direct access to router management interfaces and APIs.
- • Apply east-west traffic controls and monitoring to detect and prevent unauthorized privilege escalation or internal lateral movement.
- • Deploy inline IPS and egress policy enforcement to stop malicious control activity and block unauthorized outbound messaging or data.
- • Leverage centralized multicloud visibility to baseline normal infrastructure behavior and quickly identify anomalies or attacks.
- • Automate threat detection and incident response for device and network abuse scenarios, reducing window of exposure and potential impact.
