In a recent wave of cyberattacks, malicious actors have exploited vulnerabilities in the web-based management interfaces of certain cellular routers to hijack their SMS functionalities. By targeting exposed APIs, these attackers have been able to send large volumes of malicious SMS messages containing links that lead to malware downloads or credential-stealing websites. This tactic transforms legitimate network devices into tools for widespread phishing campaigns and malware distribution.
Understanding the Attack Mechanism
Throughout August and September 2025, security operations centers observed unusual spikes in SMS traffic originating from residential and enterprise routers, rather than from traditional cellular networks. Researchers at Sekoia identified that threat actors were systematically scanning for endpoints exposing vendor APIs, particularly on models utilizing TR-064 or custom HTTP-based SMS interfaces.
Once these interfaces are discovered, attackers exploit them to send arbitrary SMS messages via the SIM card installed in the router. The affected routers often share common vulnerabilities, such as unchanged default credentials and outdated firmware lacking API rate-limiting or proper input validation.
The Evolution of the Threat
The rapid adoption of this technique underscores a significant oversight: network administrators seldom monitor SMS logs on routers as diligently as they do network traffic or firewall events. Consequently, large-scale campaigns have operated undetected for weeks, allowing attackers to refine their messaging strategies and evade detection.
Initial lure messages often masquerade as two-factor authentication requests or urgent account recovery notifications, exploiting user trust in SMS communications. Subsequent campaigns become more targeted, based on data harvested from earlier attacks, thereby increasing the likelihood of user engagement and subsequent compromise.
Broader Implications and Risks
Beyond the immediate threat of credential theft, successful exploitation can lead to the deployment of secondary payloads that infiltrate local networks. When a victim clicks on a malicious link, a drive-by exploit chain may install a backdoor on the user’s device, granting attackers persistent access.
In corporate environments, such intrusions can facilitate lateral movement within the network, data exfiltration, or the enrollment of additional devices into the SMS-spam network. This amplifies both reconnaissance capabilities and monetization opportunities for the attackers.
Technical Exploitation Details
At the core of this campaign is the abuse of the router’s SMS API endpoint. Attackers first gain access by brute-forcing or enumerating default administrative credentials, allowing them to obtain shell-level or web-server access. With valid credentials, they issue HTTP requests that mimic legitimate SMS-sending commands.
In many affected devices, the API lacks strong input sanitization, enabling attackers to inject HTML or JavaScript into the message payload. This allows for more sophisticated attacks, such as embedding links that automatically execute malicious code upon clicking, without triggering browser warnings.
Mitigation Strategies
To defend against such attacks, it is crucial to implement the following measures:
1. Change Default Credentials: Immediately update default administrative usernames and passwords to strong, unique combinations.
2. Firmware Updates: Regularly check for and apply firmware updates from the router manufacturer to patch known vulnerabilities.
3. Disable Unnecessary Services: Turn off unused services and APIs, especially those accessible from external networks.
4. Monitor Logs: Implement monitoring of SMS logs and network traffic for unusual activity, such as unexpected spikes in outbound SMS messages.
5. Network Segmentation: Isolate critical network devices to limit the potential spread of an attack.
6. User Education: Train users to recognize phishing attempts and to avoid clicking on suspicious links, even if they appear to come from trusted sources.
Conclusion
The exploitation of cellular routers’ APIs to send malicious SMS messages represents a significant evolution in cyberattack strategies. By transforming legitimate network devices into tools for phishing and malware distribution, attackers can bypass traditional security measures and reach a wide array of potential victims. Proactive measures, including regular firmware updates, credential management, and vigilant monitoring, are essential to mitigate this emerging threat.
