Unknown threat actors are abusing Milesight industrial cellular routers to send SMS messages as part of a smishing campaign targeting users in European countries since at least February 2022.
French cybersecurity company SEKOIA said the attackers are exploiting the cellular router’s API to send malicious SMS messages containing phishing URLs, with the campaigns primarily targeting Sweden, Italy, and Belgium using typosquatted URLs that impersonate government platforms like CSAM and eBox, as well as banking, postal, and telecom providers.
Of the 18,000 routers of this type accessible on the public internet, no less than 572 are assessed to be potentially vulnerable due to them exposing the inbox/outbox APIs. About half of the identified vulnerable routers are located in Europe.
“Moreover, the API enables retrieval of both incoming and outgoing SMS messages, which indicates that the vulnerability has been actively exploited to disseminate malicious SMS campaigns since at least February 2022,” the company said. “There is no evidence of any attempt to install backdoors or exploit other vulnerabilities on the device. This suggests a targeted approach, aligned specifically with the attacker’s smishing operations.”
It’s believed the attackers are exploiting a now-patched information disclosure flaw impacting Milesight routers (CVE-2023-43261, CVSS score: 7.5), which was disclosed by security researcher Bipin Jitiya exactly two years ago. Weeks later, VulnCheck revealed that the vulnerability may have been weaponized in the wild shortly following public disclosure.
Further investigation has revealed that some of the industrial routers expose SMS-related features, including sending messages or viewing SMS history, without requiring any form of authentication.
The attacks likely involve an initial validation phase where the threat actors attempt to verify whether a given router can send SMS messages by targeting a phone number under their control. SEKOIA further noted that the API could also be publicly accessible due to misconfigurations, given that a couple of routers have been found running more recent firmware versions that are not susceptible to CVE-2023-43261.
The phishing URLs distributed using this method include JavaScript that checks whether the page is being accessed from a mobile device before serving the malicious content, which, in turn, urges users to update their banking information for purported reimbursement.
What’s more, one of the domains used in the campaigns between January and April 2025 – jnsi[.]xyz – feature JavaScript code to disable right-click actions and browser debugging tools in an attempt to hinder analysis efforts. Some of the pages have also been found to log visitor connections to a Telegram bot named GroozaBot, which is operated by an actor named “Gro_oza,” who appears to speak both Arabic and French.
“The smishing campaigns appear to have been conducted through the exploitation of vulnerable cellular routers – a relatively unsophisticated, yet effective, delivery vector,” SEKOIA said. “These devices are particularly appealing to threat actors as they enable decentralised SMS distribution across multiple countries, complicating both detection and takedown efforts.”
