Security Intelligence
Loading table of contents...
Loading table of contents...
At a glance: Confirmed active exploitation of a critical vulnerability in Sierra Wireless AirLink ALEOS routers. The flaw allows authenticated attackers to upload and execute arbitrary files via the ACEmanager interface. Replace affected devices or restrict and harden management access. Field Effect MDR will issue AROs for vulnerable routers and detect suspicious file uploads and credential misuse.
Threat summary
On December 13, CVE-2018-4063 was added to CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The flaw affects Sierra Wireless AirLink ALEOS routers, which are widely deployed in industrial, transportation, and utility environments to provide remote connectivity.
The issue resides in ACEmanager, the web-based management interface used by administrators to configure, monitor, and update routers locally and remotely. Specifically, the upload.cgi function in ACEmanager does not properly validate or restrict uploaded files, enabling a threat actor to upload arbitrary files instead of permitted configuration or update files.
Once uploaded, the malicious file can be executed by the router, allowing the attacker’s code to run on the device. Exploitation requires authenticated access, but weak or default credentials can be leveraged to bypass authentication.
Successful exploitation could provide control over the router’s operating system, enabling persistence, lateral movement into connected networks, and disruption of communications. The CVSS v3 base score is 9.1, indicating Critical severity.
The vulnerability was first discovered in December 2018, with technical details being shared publicly a few months after, in April 2019. Two days before CVE-2018-4063 was added to the KEV catalog, researchers reported that its exploitation was tied to a newer activity cluster named Chaya_005. The cluster has been active for at least two years; however, few attempts involved a well-formed exploit that successfully targeted Sierra Wireless devices.
Insights & mitigations
Legacy vulnerabilities remain viable attack vectors years after disclosure, particularly when tied to management interfaces exposed to the internet without strong controls. In this case, exploitation could lead to complete remote takeover of network infrastructure, especially in critical sectors where these routers are used for industrial connectivity.
Organizations operating Sierra Wireless AirLink ALEOS routers are advised to identify and replace affected devices, particularly legacy ES450 models running firmware version 4.9.3. Where immediate replacement is not feasible:
- Restrict ACEmanager access to trusted networks
- Disable remote administration
- Enforce strong authentication
- Monitor for anomalous HTTP requests to the upload.cgi function
Field Effect MDR users will be alerted via ARO if vulnerable devices are detected in their environment. For an additional layer of defense, Field Effect MDR detects suspicious activity such as anomalous HTTP requests, suspicious file uploads, and credential misuse across network traffic and endpoints.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)
.jpg)