Security experts have warned about a significant vulnerability affecting industrial cellular routers from Milesight. This flaw, identified as CVE-2023-43261 with a CVSS score of 7.5, could potentially have been exploited in real-world attacks. The flaw is an information disclosure vulnerability that affects UR5X, UR32L, UR32, UR35, and UR41 routers before version 184.108.40.206. It could allow attackers to access logs such as httpd.log and other sensitive credentials. Consequently, this could enable remote and unauthenticated attackers to gain unauthorized access to the web interface, potentially allowing them to configure VPN servers and disable firewall protections.
Security researcher Bipin Jitiya, who discovered the issue, highlighted the severity of the vulnerability, stating, 'This vulnerability becomes even more severe as some routers allow the sending and receiving of SMS messages. An attacker could exploit this functionality for fraudulent activities, potentially causing financial harm to the router owner.'
There is evidence suggesting that this flaw may have been exploited on a small scale in the wild. Jacob Baines from the security firm reported that they observed a suspicious IP address attempting to log into six systems on October 2, 2023. The affected systems were located in France, Lithuania, and Norway, and all used different non-default credentials. The threat actor reportedly managed to authenticate successfully on four of the six machines on the first attempt. On the fifth system, the login was successful on the second attempt, while the sixth attempt resulted in failure. The credentials used in the attack were extracted from the httpd.log, indicating the exploitation of CVE-2023-43261.
While there is no evidence of any further malicious actions, it appears that the unknown actor checked the settings and status pages. The security firm estimates that out of approximately 5,500 internet-exposed Milesight routers, only about 5% are running vulnerable firmware versions and are therefore susceptible to the flaw. Baines suggested that, 'If you have a Milesight Industrial Cellular Router, it's probably wise to assume all the credentials on the system have been compromised and to simply generate new ones, and ensure no interfaces are reachable via the internet.'
The report also detailed several security flaws in South River Technologies' Titan MFT and Titan SFTP servers. If exploited, these could allow remote superuser access to affected hosts. However, the company stated that all issues are post-authentication and require non-default configurations, so they are unlikely to see wide scale exploitation.