The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high severity flaw affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog after reports of active exploitation. The vulnerability, tracked as CVE-2018-4063, allows remote code execution (RCE) through a specially crafted HTTP request.
CVE-2018-4063 Overview
The vulnerability involves an unrestricted file upload issue in the ACEManager upload.cgi function of Sierra Wireless AirLink ES450 routers running firmware version 4.9.3. When uploading template files, the system does not restrict filenames, meaning an uploaded file can inherit the permissions of existing files in the directory. Certain files, such as fw_upload_init.cgi or fw_status.cgi, have executable permissions. Combined with ACEManager running as root, any uploaded executable or script can be executed with elevated privileges.
Cisco Talos publicly disclosed the flaw in April 2019 and reported it to Sierra Wireless in December 2018. The vulnerability allows an authenticated attacker to craft an HTTP request to upload a file that overwrites an existing file with execution permissions, effectively achieving remote code execution.
Threat Activity and Observations
Forescout conducted a 90-day honeypot analysis that confirmed industrial routers are among the most targeted devices in operational technology environments. Attackers often exploit vulnerabilities to deliver botnet and cryptocurrency mining malware, including RondoDox, Redtail, and ShadowV2. Other targeted vulnerabilities include:
- CVE-2024-12856 (Four-Faith routers)
- CVE-2024-0012, CVE-2024-9474, CVE-2025-0108 (Palo Alto Networks PAN-OS)
Additionally, a previously undocumented threat cluster named Chaya_005 exploited CVE-2018-4063 in January 2024 to upload a malicious payload named fw_upload_init.cgi. According to Forescout, this cluster was conducting broader reconnaissance rather than sustained attacks and is likely no longer a significant threat.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
