CISA Flags Critical Vulnerability in Sierra Wireless Routers Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a significant security flaw affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog. This action follows reports of active exploitation of the vulnerability in real-world scenarios.
Understanding the Vulnerability
Identified as CVE-2018-4063, this high-severity flaw carries a Common Vulnerability Scoring System (CVSS) score ranging between 8.8 and 9.9. The vulnerability arises from an unrestricted file upload mechanism within the routers, which can be exploited through specially crafted HTTP requests. Such exploitation allows unauthorized users to upload executable code to the device’s web server, potentially leading to remote code execution.
CISA elaborated on the issue, stating that a malicious HTTP request could facilitate the upload of a file, resulting in executable code being placed and accessible on the web server. An attacker can trigger this vulnerability by making an authenticated HTTP request.
Historical Context and Technical Details
The vulnerability was publicly disclosed by Cisco Talos in April 2019. It specifically affects the ACEManager upload.cgi function in Sierra Wireless AirLink ES450 firmware version 4.9.3. Cisco Talos had initially reported the flaw to Sierra Wireless in December 2018.
The core issue lies in the file upload capability of templates within the AirLink 450. When uploading template files, users can specify the file name. However, there are no safeguards to protect existing files essential for the device’s normal operation. If a file is uploaded with the same name as an existing file in the directory, it inherits the permissions of the original file.
Notably, some files in the directory, such as fw_upload_init.cgi or fw_status.cgi, possess executable permissions. This means an attacker can send HTTP requests to the /cgi-bin/upload.cgi endpoint to upload a file with the same name, thereby achieving code execution. Compounding the risk, ACEManager operates with root privileges, so any shell script or executable uploaded runs with elevated permissions.
Recent Exploitation and Broader Implications
The inclusion of CVE-2018-4063 in the KEV catalog coincides with findings from a 90-day honeypot analysis by Forescout. The study revealed that industrial routers are among the most targeted devices in operational technology (OT) environments. Threat actors have been observed attempting to deploy botnets and cryptocurrency mining malware, such as RondoDox, Redtail, and ShadowV2, by exploiting various vulnerabilities, including:
– CVE-2024-12856 (affecting Four-Faith routers)
– CVE-2024-0012, CVE-2024-9474, and CVE-2025-0108 (affecting Palo Alto Networks PAN-OS)
Additionally, a previously unidentified threat group, designated as Chaya_005, exploited CVE-2018-4063 in early January 2024. They uploaded a malicious payload named fw_upload_init.cgi. However, no further successful exploitation attempts by this group have been detected since then. Forescout Research – Vedere Labs suggests that Chaya_005 appears to be conducting a broad reconnaissance campaign, testing multiple vendor vulnerabilities rather than focusing on a single one. They also indicate that this cluster is likely no longer a significant threat.
Recommendations and Next Steps
Given the active exploitation of CVE-2018-4063, CISA advises Federal Civilian Executive Branch (FCEB) agencies to take immediate action. Agencies should update their devices to a supported version or discontinue the use of the affected product by January 2, 2026, as it has reached end-of-support status.
For organizations utilizing Sierra Wireless AirLink ALEOS routers, it is imperative to assess their current firmware versions and apply necessary updates or consider device replacement to mitigate potential security risks.
