A vulnerability affecting some industrial routers made by Chinese IoT and video surveillance product maker Milesight may have been exploited in attacks, according to exploit and vulnerability intelligence firm VulnCheck.
Several UR-series industrial cellular routers from Milesight (Ursalink) are affected by CVE-2023-43261, a serious vulnerability exposing system log files, such as ‘httpd.log’.
The exposed logs contain passwords for administrators and other users, which can be leveraged by remote, unauthenticated attackers to gain unauthorized access to the targeted device. The passwords are not stored in plain text in the log files, but they can be easily cracked.
Researcher Bipin Jitiya recently disclosed details of the vulnerability and made public a proof-of-concept (PoC) exploit. He informed Milesight about his findings, but the vendor said it had been aware of the flaw and released patches before the researcher reached out.
Indeed, an analysis of various firmware versions conducted by VulnCheck showed that CVE-2023-43261 has likely been patched for years.
The Shodan and Censys search engines show approximately 5,500 internet-exposed Milesight devices, but only 6.5% — less than 400 devices — appear to be running vulnerable firmware versions.
However, VulnCheck did observe what may be small-scale exploitation of the vulnerability.
“We observed 18.104.22.168 attempting to log into six systems on October 2, 2023. The affected systems’ IP addresses geolocate to France, Lithuania, and Norway. They don’t appear to be related, and all use different non-default credentials,” VulnCheck explained in a blog post.
“On four systems, the attacker successfully authenticated on the first attempt. One time, the attacker attempted two different passwords. Both passwords (failed and successful) were already present in the httpd.log. Finally, on the last system, they could not authenticate. The httpd.log had many login attempts but no successful logins. The attacker attempted all the unique credentials that were already in httpd.log and then made no more attempts. That pattern could reasonably be CVE-2023-43261,” the security firm added.
In these attacks, the hacker did not make any changes to the compromised system, but they did go through all the settings and status pages, which indicates that it may have been someone conducting reconnaissance.
“Some of the victims did have configured VPN servers, and the attacker did expose the cleartext credentials, which is enough for the attacker to pivot into the ICS network,” VulnCheck noted.
According to the vendor, the UR-series routers can be used in various fields, including industrial automation, self-service kiosks, traffic lighting, smart grid assets, medical equipment, and retail.