Hackers have recently leveraged a vulnerability in the web-based management interfaces of certain cellular routers to co-opt their built-in SMS functionality for nefarious purposes.
By targeting exposed APIs, attackers are able to dispatch large volumes of malicious SMS messages containing weaponized links that lead to drive-by downloads or credential-stealing pages.
This emerging threat vector exploits otherwise legitimate network equipment, transforming routers into unwitting proxies for mass phishing campaigns and malware distribution.
Victims receive SMS texts purporting to be security alerts or delivery notifications, but clicking the embedded URL triggers silent exploitation of device vulnerabilities or launches social-engineering traps.
Throughout August and September 2025, multiple security operations centers noted unusual spikes in SMS traffic originating from residential and enterprise routers rather than cellular networks.
Sekoia researchers identified that threat actors were systematically scanning for endpoints exposing vendor APIs—particularly on models using TR-064 or custom HTTP-based SMS interfaces.
Once discovered, these interfaces permit unauthenticated or weakly authenticated commands to send arbitrary SMS messages via the SIM card installed in the router.
Although the impacted routers vary by manufacturer, commonalities include default credentials left unchanged and outdated firmware lacking API rate-limiting or input validation.
The rapid proliferation of this technique highlights a critical blind spot: network administrators rarely monitor SMS logs on routers as rigorously as they do network traffic or firewall events.
As a result, large-scale campaigns have gone unnoticed for weeks, allowing attackers to refine their messaging templates and evade detection.
Initial lure messages masquerade as two-factor authentication requests or urgent account recovery notifications, exploiting user trust in SMS channels. Subsequent campaigns pivot to more targeted bait based on harvested data, increasing click-through rates and downstream compromise.
Beyond the immediate risk of credential theft, successful exploitation can deliver secondary payloads that pivot into local networks.
Once a victim clicks the weaponized link, a drive-by exploit chain may deploy a backdoor to the user’s device, granting attackers persistent access.
.webp)
In corporate environments, this intrusion can facilitate lateral movement, data exfiltration, or enrollment of additional devices into the SMS-spam network—amplifying both reconnaissance and monetization opportunities for the threat actors behind these operations.
Infection Mechanism
At the core of this campaign lies the abuse of the router’s SMS API endpoint. Attackers first brute-force or enumerate default administrative credentials to gain shell-level or web-server access.
With valid access, they issue HTTP requests that mimic legitimate SMS-sending commands. The simplest form of this interaction can be illustrated with a curl snippet:-
curl - X POST http://192.168.1.1/api/sms/send
- H "Content-Type: application/json"
- d '{
"username":"admin",
"password":"admin123",
"destination":"+15551234567",
"message":"Your account requires immediate verification: http://bit.ly/verify-now"
}'In many affected devices, the API fails to enforce strong input sanitization, allowing attackers to inject HTML or JavaScript into the message payload.
This enables more sophisticated attacks, such as weaponized links that automatically execute on click without browser warnings.
Furthermore, the SMS API often exposes status codes and delivery reports, providing feedback that attackers use to measure campaign success and optimize targeting.
To automate these operations at scale, threat actors have repurposed compromised routers into distributed SMS-spam bots.
Custom scripts cycle through recipient lists, randomize sender IDs, and rotate message templates. Some variants even integrate with public paste sites to dynamically update malicious URLs, evading static detection by URL-filtering solutions.
By understanding this infection mechanism, defenders can harden their environments: enforce strong administrative credentials, disable unused SMS interfaces, and apply firmware updates that incorporate proper authentication and rate-limiting controls.
These measures, combined with proactive SMS-traffic monitoring, can disrupt the rapid growth of this stealthy and impactful threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
