CISA Highlights Sierra Wireless Router Flaw Allowing RCE Exploits
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability affecting Sierra Wireless AirLink ALEOS routers. This flaw was recently added to the Known Exploited Vulnerabilities (KEV) catalog due to reports of real-world exploitation.
CISA Highlights Sierra Wireless Router Flaw
The vulnerability, designated as CVE-2018-4063, has a CVSS score of 8.8/9.9, indicating its severity. It allows for an unrestricted file upload that could lead to remote code execution (RCE) via a malicious HTTP request. CISA notes that this vulnerability can be exploited through carefully crafted requests that enable attackers to upload executable code to the webserver.
Details of the Vulnerability
Identified in the ACEManager “upload.cgi” function of Sierra Wireless AirLink ES450 firmware version 4.9.3, this six-year-old vulnerability was originally reported by Cisco Talos in April 2019. Cisco Talos disclosed these details following a report to Sierra Wireless in December 2018.
- Exploit Mechanism: Attackers can upload files with the same name as existing files on the device, inheriting their permissions.
- Files like
fw_upload_init.cgiandfw_status.cgihave executable permissions, making them vulnerable. - The ACEManager operates with root privileges, which allows any uploaded scripts to execute with elevated rights.
Recent Exploitation Trends
A recent 90-day analysis by Forescout revealed that industrial routers are among the most targeted devices in operational technology environments. Attackers are attempting to deploy botnet and cryptocurrency miner malware using this vulnerability.
An undocumented threat cluster, Chaya_005, exploited CVE-2018-4063 in January 2024 to upload a malicious payload. However, no further exploitations have been reported since then, leading researchers to believe this threat is unlikely to remain significant.
Recommendations for Users
In response to the ongoing exploitation, Federal Civilian Executive Branch (FCEB) agencies must take urgent action. They are advised to either update their devices to a supported firmware version or cease using the affected models by January 2, 2026, as they have reached their end-of-support status.
