A previously undetected smishing campaign has been abusing industrial cellular routers manufactured by Milesight to deliver phishing messages across Europe, according to a new report by French cybersecurity firm Sekoia.
The campaign, active since at least February 2022, leverages a vulnerability tracked as CVE-2023-43261. The allows threat actors to extract system logs from vulnerable Milesight routers, crack encrypted administrator credentials, and gain unauthorized access to the device’s SMS-sending capabilities.
The attackers are abusing a legitimate router feature intended for alerting administrators when remote equipment goes offline. By exploiting the router’s SMS API, the attackers send phishing messages (smishing) impersonating government, postal, banking, and email services. Most messages are crafted to appear from Belgian services such as CSAM and eBox, indicating that Belgium is a primary target. However, victims in Sweden, Italy, and France have also been identified.
cccc researchers first detected suspicious activity via internal honeypots on July 22, 2025, when SMS messages containing phishing links were observed being sent via the routers’ /cgi API endpoint. Analysis of the JSON-formatted POST requests revealed parameters associated with the device’s SMS functionality.
A Shodan scan showed over 19,000 Milesight Industrial Cellular Routers exposed to the public internet, with nearly 2,000 located in France and half in Australia. Of 6,643 devices examined, 572 routers were found to allow unauthenticated access to SMS inbox and outbox APIs. Most affected routers run outdated firmware versions (32.2.x.x and 32.3.x.x), though two exploited devices were also found running newer firmware (41.0.0.2 and 41.0.0.3).
“There is no evidence of any attempt to install backdoors or exploit other vulnerabilities on the device,” Sekoia noted in its report. “This suggests a targeted approach, aligned specifically with the attacker’s smishing operations.”