A recent discovery by VulnCheck has shed light on a severe vulnerability affecting industrial cellular routers produced by Milesight. Tracked as CVE-2023-43261 and scoring 7.5 on the CVSS scale, this flaw allows for information disclosure, impacting specific Milesight router models, including UR5X, UR32L, UR32, UR35, and UR41 with firmware versions earlier than 188.8.131.52.
Additionally, the vulnerability could potentially enable remote, unauthenticated attackers to access sensitive logs and credentials, granting them unauthorized access to the routers’ web interfaces. What makes this issue more critical is that some of these routers support SMS messaging, which could be exploited for fraudulent activities.
At the same time, a noteworthy revelation from VulnCheck indicates that this vulnerability may have already been actively exploited in the wild. Evidence shows that an unknown threat actor, originating from locations like France, Lithuania, and Norway, attempted to log into multiple systems on October 2, 2023, with varying degrees of success. The attacker managed to authenticate on four out of six systems, gaining unauthorized access.
The attacker used credentials extracted from httpd.log, suggesting that CVE-2023-43261 was weaponized for these intrusions. Although no further malicious actions were taken, the threat is clear.
It’s worth noting that, out of around 5,500 internet-exposed Milesight routers, only about 5% are running vulnerable firmware versions, making them susceptible to this flaw. VulnCheck recommends that owners of Milesight Industrial Cellular Routers assume that all their credentials have been compromised and generate new ones.
Furthermore, they should ensure that no interfaces are accessible from the internet to mitigate potential security risks. This discovery underscores the ever-present need for organizations to promptly address security vulnerabilities to safeguard against potential exploitation and data breaches.