Hackers Turn 4G Routers into SMS Cannons – Sweden, Italy, and Belgium Under Attack
An unexpected feature of business-grade equipment became the key to mass attacks.
An unexpected feature of business-grade equipment became the key to mass attacks.
French company SEKOIA has uncovered a smishing campaign in which attackers are exploiting vulnerabilities in industrial Milesight 4G/5G routers to send phishing SMS messages to users in several European countries. The report describes how the attackers access the devices' API, which allows sending and viewing messages. Since February 2022, these routers have been used for targeted campaigns containing fake links mimicking government services and banking portals – attacks have primarily affected Sweden, Italy, and Belgium.
The investigation revealed that out of approximately 18,000 Milesight devices accessible from the internet, at least 572 had their SMS API exposed without requiring authorization; nearly half of these routers are located in Europe. SEKOIA links the exploitation to a previously known information vulnerability, tracked as CVE-2023-43261. The attackers used both the exploit and configuration errors – some devices with newer firmware were not susceptible to the issue, indicating a mix of exploitation and misconfigurations.
The attacks followed a simple yet effective scheme: first, they verified the ability to send SMS by sending test messages to a controlled number, then they launched mass distributions through distributed routers, complicating detection and blocking.
The phishing pages linked in the messages contained JavaScript checks for mobile browsers and instructions allegedly for updating bank details to receive compensation. One of the domain zones used in 2025 included scripts to disable the context menu and debugging tools, as well as logging visits to a Telegram bot named GroozaBot, managed by a user under the name "Gro_oza," who, based on gathered evidence, communicates in Arabic and French.
SEKOIA notes the absence of traces of attempts to install long-term backdoors or further escalation – the chosen vector was narrowly focused and aimed solely at delivering phishing via SMS.
The combination of facts highlights the attractiveness of industrial routers for such campaigns – they enable decentralized sending across different countries and operators, making a rapid response difficult.
Security recommendations include updating the firmware, checking the exposure of management interfaces to the internet, and disabling SMS functions on devices that do not require them.
