Following reports of an active exploit in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw affecting Sierra Wireless Airlink ALEOS routers to its Known Exploitable Vulnerabilities (KEV) catalog.
CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that can be exploited to achieve remote code execution via a malicious HTTP request.
“A specially crafted HTTP request could upload a file, result in executable code, and be routed to a webserver,” the agency said. “An attacker could make an authenticated HTTP request to trigger this vulnerability.”
Details of the six-year-old flaw were publicly shared by Cisco Talos in April 2019, describing it as an exploitable remote code execution vulnerability in the ACEManager “upload.cgi” function of Sierra Wireless Airlink ES450 firmware version 4.9.3. Talos informed the Canadian company about the flaw in December 2018.
“This vulnerability exists in the file upload capability of templates within the Airlink 450,” the company said. “When uploading template files, you can specify the name of the file you are uploading.”
“There are no restrictions to protect files currently present on a device used for normal operation. If a file is uploaded with the same file name that already exists in the directory, we inherit the permissions of that file.”
Talos noted that some files in the directory (for example, “fw_upload_init.cgi” or “fw_status.cgi”) have executable permissions on the device, meaning an attacker could send an HTTP request to the “/cgi-bin/upload.cgi” endpoint to upload a file by the same name to obtain code execution.
This is complicated by the fact that ACEManager runs as root, causing any shell scripts or executables uploaded to the device to also run with elevated privileges.
Honeypot analysis conducted by Forescout over a 90-day period, a day after CVE-2018-4063 was added to the KEV catalog, revealed that industrial routers are the most attacked devices in operational technology (OT) environments, with threat actors attempting to distribute botnets and cryptocurrency miner malware families such as Rondodox, Redtail, and ShadowV2 by exploiting the following vulnerabilities –
Attacks have also been recorded from a previously unknown threat cluster named shadow_005, which weaponized CVE-2018-4063 in early January 2024 to upload an unspecified malicious payload with the name “fw_upload_init.cgi”. No further successful exploit attempts have been detected since then.
Forescout Research – Vedre Labs said, “Shadow_005 appears to be a broad reconnaissance campaign that tests vulnerabilities from multiple vendors rather than focusing on any one.” It is likely that the cluster is no longer a “significant threat”.
In view of the active exploitation of CVE-2018-4063, Federal Civil Executive Branch (FCEB) agencies are advised to update their devices to a supported version or stop using the product by January 2, 2026, as it has reached End of Support.
