CISA Flags Sierra Wireless Router Bug Exploited for RCE

CISA Flags Sierra Wireless Router Bug Exploited for RCE
December 13, 2025 at 12:00 AM

CISA has added CVE-2018-4063 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation targeting Sierra Wireless AirLink ALEOS routers. The high-severity flaw (CVSS 8.8/9.9) enables remote code execution via unrestricted file uploads.

How the exploit works

  • The issue resides in ACEManager’s upload.cgi on Sierra Wireless AirLink ES450 (firmware 4.9.3), as detailed by Cisco Talos.
  • An attacker can send an authenticated, specially crafted HTTP request to /cgi-bin/upload.cgi to upload a file.
  • Because file protections are lacking, uploaded files can overwrite existing CGI files (e.g., fw_upload_init.cgi or fw_status.cgi) and inherit executable permissions.
  • ACEManager runs as root, so uploaded scripts execute with elevated privileges.

Background

  • Cisco Talos reported the flaw to Sierra Wireless in December 2018 and published details in April 2019.
  • The vulnerability stems from template file uploads that allow specifying arbitrary filenames without safeguards against overwriting operational files.

Recent threat activity

  • A Forescout 90-day honeypot study found industrial routers are the most attacked devices in OT environments.
  • Threat actors attempted to deploy botnets and crypto miners such as RondoDox, Redtail, and ShadowV2 by exploiting:
    • CVE-2024-12856 (Four-Faith routers)
    • CVE-2024-0012, CVE-2024-9474, CVE-2025-0108 (Palo Alto Networks PAN-OS)
  • A cluster tracked as Chaya_005 weaponized CVE-2018-4063 in early January 2024 to upload a payload named "fw_upload_init.cgi." No further successful exploitation has been observed; the campaign appears to have been broad reconnaissance and is likely not a significant ongoing threat.

Who must act—and when

  • U.S. Federal Civilian Executive Branch (FCEB) agencies must update affected devices to a supported version or discontinue their use by January 2, 2026, as these products have reached end-of-support.

Recommended mitigations now

  • Upgrade or replace unsupported AirLink devices; remove ACEManager from direct internet exposure.
  • Restrict management access to VPN/allowlisted IPs and enforce strong, unique admin credentials.
  • Monitor for unexpected CGI files (e.g., fw_upload_init.cgi, fw_status.cgi) and suspicious POSTs to /cgi-bin/upload.cgi.
  • Segment OT networks and promptly patch related router and firewall CVEs where applicable.

Source: The Hacker News

Back…