Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code
Analysis Summary
# Vulnerability: Unrestricted File Upload Leading to RCE in Sierra Wireless ALEOS Routers
## CVE Details
- CVE ID: CVE-2018-4063
- CVSS Score: 8.8/9.9 (High)
- CWE: Unrestricted File Upload (Inferred from description)
## Affected Systems
- Products: Sierra Wireless AirLink ALEOS routers, specifically impacting the ACEManager "upload.cgi" function.
- Versions: Sierra Wireless AirLink ES450 firmware version 4.9.3 and potentially other affected versions. Devices running this unsupported firmware are strongly advised to be updated or decommissioned.
- Configurations: Exploitation requires an authenticated HTTP request.
## Vulnerability Description
This is an unrestricted file upload vulnerability within the ACEManager utility on Sierra Wireless AirLink devices. An authenticated attacker can send a specially crafted HTTP request to the `/cgi-bin/upload.cgi` endpoint. The vulnerability allows the attacker to upload a file and specify its name without proper restrictions. By uploading a file with the same name as an existing, executable file on the system (e.g., `fw_upload_init.cgi` or `fw_status.cgi`), the uploaded content overwrites the original. Since these existing files have executable permissions, and ACEManager runs with **root privileges**, the uploaded payload executes with maximum privileges on the device, resulting in Remote Code Execution (RCE).
## Exploitation
- Status: **Exploited in the wild**. CISA added this to the KEV catalog following reports of active exploitation. A threat cluster named Chaya\_005 weaponized this flaw in early January 2024.
- Complexity: Low (Requires authentication and a specially crafted HTTP request).
- Attack Vector: Network (via HTTP request)
## Impact
- Confidentiality: High (Execution as root allows access to sensitive configuration/data).
- Integrity: High (Remote Code Execution grants full control over the device).
- Availability: High (RCE can lead to denial of service or device compromise).
## Remediation
### Patches
- Vendor guidance suggests updating to a **supported version** of the firmware, as the affected firmware versions have reached End-of-Support status. CISA advises FCEB agencies to update or discontinue use by January 2, 2026. Reference CISA ICS Advisory ICSA-19-122-03 for specific patch details if product support is active.
- *Note: Specific patched version numbers were not provided in the summary context.*
### Workarounds
- Discontinue use of the end-of-support product by January 2, 2026.
- Restrict network access to the device management interfaces to only trusted/authenticated entities if direct patching/upgrading is impossible in the short term.
## Detection
- Indicators of Compromise: Logs showing file uploads to `/cgi-bin/upload.cgi`. Detection of activity associated with threat cluster Chaya\_005.
- Detection methods and tools: Network intrusion detection systems monitoring for abnormal POST requests targeting configuration/CGI endpoints on the router. File integrity monitoring on critical system binaries involved in firmware updates or status checks (e.g., checking for unexpected modifications to `fw_upload_init.cgi`).
## References
- Vendor Advisories: Cisco Talos advisory (April 2019) detailing the vulnerability.
- Relevant links:
- CISA KEV Catalog addition: cisa.gov/news-events/alerts/2025/12/12/cisa-adds-one-known-exploited-vulnerability-catalog
- CISA ICS Advisory: cisa.gov/news-events/ics-advisories/icsa-19-122-03
- Cisco Talos Blog: blog.talosintelligence.com/vulnerability-sierra-airlink/