CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Milesight Industrial Router Vulnerability Possibly Exploited in Attacks

A vulnerability affecting Milesight industrial routers, tracked as CVE-2023-43261, may have been exploited in attacks. 

Cisco CVE-2023-20198 exploited

A vulnerability affecting some industrial routers made by Chinese IoT and video surveillance product maker Milesight may have been exploited in attacks, according to exploit and vulnerability intelligence firm VulnCheck.

Several UR-series industrial cellular routers from Milesight (Ursalink) are affected by CVE-2023-43261, a serious vulnerability exposing system log files, such as ‘httpd.log’. 

The exposed logs contain passwords for administrators and other users, which can be leveraged by remote, unauthenticated attackers to gain unauthorized access to the targeted device. The passwords are not stored in plain text in the log files, but they can be easily cracked. 

Researcher Bipin Jitiya recently disclosed details of the vulnerability and made public a proof-of-concept (PoC) exploit. He informed Milesight about his findings, but the vendor said it had been aware of the flaw and released patches before the researcher reached out.

Indeed, an analysis of various firmware versions conducted by VulnCheck showed that CVE-2023-43261 has likely been patched for years. 

The Shodan and Censys search engines show approximately 5,500 internet-exposed Milesight devices, but only 6.5% — less than 400 devices — appear to be running vulnerable firmware versions. 

However, VulnCheck did observe what may be small-scale exploitation of the vulnerability. 

“We observed attempting to log into six systems on October 2, 2023. The affected systems’ IP addresses geolocate to France, Lithuania, and Norway. They don’t appear to be related, and all use different non-default credentials,” VulnCheck explained in a blog post.

“On four systems, the attacker successfully authenticated on the first attempt. One time, the attacker attempted two different passwords. Both passwords (failed and successful) were already present in the httpd.log. Finally, on the last system, they could not authenticate. The httpd.log had many login attempts but no successful logins. The attacker attempted all the unique credentials that were already in httpd.log and then made no more attempts. That pattern could reasonably be CVE-2023-43261,” the security firm added.

Advertisement. Scroll to continue reading.

In these attacks, the hacker did not make any changes to the compromised system, but they did go through all the settings and status pages, which indicates that it may have been someone conducting reconnaissance. 

“Some of the victims did have configured VPN servers, and the attacker did expose the cleartext credentials, which is enough for the attacker to pivot into the ICS network,” VulnCheck noted.

According to the vendor, the UR-series routers can be used in various fields, including industrial automation, self-service kiosks, traffic lighting, smart grid assets, medical equipment, and retail.

UPDATE: On November 13, 2023, a Milesight representative provided the following statement to SecurityWeek:

“The following vulnerabilities have been promptly identified and fixed. The manufacturer actively communicated the vulnerability situation and promptly updated the software to address the vulnerability risks. I confirm that the issue has been resolved without any residual negative impact. Therefore, the following vulnerability content is for discussion and research purposes only.”

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: Unpatched Vulnerabilities Expose Yifan Industrial Routers to Attacks

Related: Dozens of RCE Vulnerabilities Impact Milesight Industrial Router

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.