The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a significant vulnerability affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities catalog due to reports of active exploitation. This flaw, identified as CVE-2018-4063 (with a CVSS score of 8.8/9.9), allows attackers to execute remote code through unrestricted file uploads via a malicious HTTP request.
CISA emphasized the risk, stating that a crafted HTTP request could upload a file, enabling executable code to be deployed on the web server. The agency highlighted that authenticated requests could be utilized to exploit this vulnerability.
The vulnerability was first publicized by Cisco Talos in April 2019, noting it as an exploitable flaw within the ACEManager’s "upload.cgi" function in the firmware of Sierra Wireless AirLink ES450 routers. Talos reported this to Sierra Wireless in December 2018, emphasizing the lack of restrictions that could safeguard existing files crucial for normal operations. If a file with the same name as an existing directory file is uploaded, it could inherit the same permissions, providing attackers with potential code execution capabilities.
Certain files in the directory, such as "fw_upload_init.cgi" and "fw_status.cgi," grant executable permissions, allowing an attacker to exploit the "/cgi-bin/upload.cgi" endpoint by uploading malicious files to gain control. This issue is further exacerbated since ACEManager operates with root privileges, meaning any uploaded scripts could be executed with elevated access.
CISA’s inclusion of CVE-2018-4063 follows a report indicating that industrial routers rank among the most frequently attacked devices in operational technology environments. Threat actors have been identified attempting to deploy botnet and cryptocurrency mining malware through a variety of vulnerabilities.
Forescout conducted a 90-day honeypot analysis revealing a previously undocumented threat cluster named Chaya_005, which exploited CVE-2018-4063 to upload a malicious payload. However, no recent exploitation attempts have been detected from this group.
In light of these active exploits, agencies within the Federal Civilian Executive Branch are urged to upgrade their devices to supported versions or to phase out the product entirely by January 2, 2026, as it has reached its end-of-support status.
Welcome to DediRock, your trusted partner in high-performance hosting solutions. At DediRock, we specialize in providing dedicated servers, VPS hosting, and cloud services tailored to meet the unique needs of businesses and individuals alike. Our mission is to deliver reliable, scalable, and secure hosting solutions that empower our clients to achieve their digital goals. With a commitment to exceptional customer support, cutting-edge technology, and robust infrastructure, DediRock stands out as a leader in the hosting industry. Join us and experience the difference that dedicated service and unwavering reliability can make for your online presence. Launch our website.