Ethical Hacking News
CISA has added a high-severity vulnerability impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities catalog, urging federal agencies to patch devices due to active exploitation in the wild. The vulnerability allows for remote code execution and can be exploited by sending malicious HTTP requests.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw to its Known Exploited Vulnerabilities (KEV) catalog, impacting Sierra Wireless AirLink ALEOS routers. The vulnerability, CVE-2018-4063, has a CVSS score of 8.8/9.9 and refers to an unrestricted file upload vulnerability that could be exploited for remote code execution. CISA is urging federal agencies to update or replace these devices with supported versions by January 2, 2026, to prevent potential cyber threats. The vulnerability was first publicly shared in April 2019 and has been exploited in the wild, highlighting the importance of timely patching and security measures.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. This move comes as a warning to federal agencies that have these devices in their networks, urging them to update or replace them with supported versions to prevent potential cyber threats.
The vulnerability in question is CVE-2018-4063, which has a CVSS score of 8.8/9.9 and refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code execution by means of a malicious HTTP request. This vulnerability was first publicly shared by Cisco Talos in April 2019, describing it as an exploitable remote code execution vulnerability in the ACEManager "upload.cgi" function of Sierra Wireless AirLink ES450 firmware version 4.9.3.
According to the details provided by Cisco Talos, this vulnerability exists in the file upload capability of templates within the AirLink 450 and allows attackers to specify the name of the file being uploaded. Since there are no restrictions in place that protect files currently on the device used for normal operation, an attacker can send HTTP requests to the "/cgi-bin/upload.cgi" endpoint to upload a file with the same name as one already existing in the directory, thus inheriting its permissions and executing any uploaded shell script or executable with elevated privileges due to ACEManager running as root.
The addition of CVE-2018-4063 to the KEV catalog is a stark reminder of the importance of timely patching and maintaining up-to-date security measures for industrial routers. As Forescout's honeypot analysis over a 90-day period revealed, these devices are frequently targeted by threat actors attempting to deliver various types of malware, including botnet and cryptocurrency miner families such as RondoDox, Redtail, and ShadowV2.
One notable example is the Chaya_005 threat cluster that weaponized CVE-2018-4063 in early January 2024 to upload an unspecified malicious payload with the name "fw_upload_init.cgi." Although no further successful exploitation efforts have been detected since then, this incident highlights the potential for these vulnerabilities to be exploited by sophisticated actors.
In light of active exploitation of CVE-2018-4063 and the end-of-support status of Sierra Wireless AirLink ALEOS routers, CISA is advising federal civilian executive branch agencies to update their devices to a supported version or discontinue use of these products by January 2, 2026. This move underscores the importance of proactive cybersecurity measures in preventing potential breaches.
The exploitation of this vulnerability serves as a timely reminder for organizations to prioritize firmware security and keep their networks up-to-date with the latest patches. As the threat landscape continues to evolve, it is crucial that companies remain vigilant and take swift action to protect themselves against newly discovered vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Adds-Actively-Exploited-Sierra-Wireless-Router-Flaw-to-Known-Exploited-Vulnerabilities-KEV-Catalog-Urging-Federal-Agencies-to-Patch-Devices-ehn.shtml
https://thehackernews.com/2025/12/cisa-adds-actively-exploited-sierra.html
https://www.cisa.gov/news-events/alerts/2025/06/02/cisa-adds-five-known-exploited-vulnerabilities-catalog
https://nvd.nist.gov/vuln/detail/CVE-2018-4063
https://www.cvedetails.com/cve/CVE-2018-4063/
Published: Sat Dec 13 06:56:30 2025 by llama3.2 3B Q4_K_M
