The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog following reports of it being exploited in the wild.
CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that can be exploited to cause remote code execution via a malicious HTTP request.
“A specially crafted HTTP request could result in a file being uploaded, which could result in executable code being uploaded and routed to a web server,” the agency said. “An attacker could craft an authenticated HTTP request to trigger this vulnerability.”
Details of the six-year-old vulnerability were published by Cisco Talos in April 2019 and described as an exploitable remote code execution vulnerability in the ACEManager “upload.cgi” function of Sierra Wireless AirLink ES450 firmware version 4.9.3. Talos reported this flaw to the Canadian company in December 2018.
The company says, “This vulnerability exists in the template file upload function within AirLink 450.” When you upload a template file, you can specify the name of the file you are uploading.
“There are no restrictions protecting files that are currently on the device and used for normal operations. If a file is uploaded with the same name as a file that already exists in the directory, it will inherit the permissions of that file.”
Talos noted that some files present within the directory (such as “fw_upload_init.cgi” and “fw_status.cgi”) have executable permissions on the device. This means that an attacker can send an HTTP request to the “/cgi-bin/upload.cgi” endpoint to upload a file with the same name and execute code.
This is further exacerbated by the fact that ACEManager runs as root, which means that any shell scripts or executables uploaded to the device will also run with elevated privileges.
The addition of CVE-2018-4063 to the KEV catalog comes a day after Forescout’s 90-day honeypot analysis revealed that industrial routers are the most attacked devices in operational technology (OT) environments, with attackers exploiting the following flaws to distribute botnets and crypto miner malware families such as RondoDox, Redtail, and ShadowV2.
We have also recorded an attack from a previously undocumented threat cluster named Chaya_005 that weaponized CVE-2018-4063 and uploaded an unspecified malicious payload named ‘fw_upload_init.cgi’ in early January 2024. No successful exploits have been detected since then.
Forescout Research – Vedere Labs said, “Chaya_005 appears to be a broader reconnaissance operation testing vulnerabilities from multiple vendors rather than focusing on a single vulnerability,” adding that the cluster is likely no longer a “significant threat.”
In view of the active exploitation of CVE-2018-4063, Federal Civilian Executive Branch (FCEB) agencies recommend that you update your devices to a supported version or discontinue use of the product by January 2, 2026, as it has reached End of Life status.
