The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a critical vulnerability in Sierra Wireless AirLink ALEOS routers in its Known Exploited Vulnerabilities (KEV) catalog, following confirmation of active exploitation.
This inclusion underscores the severity of the issue, which poses a significant threat to cybersecurity across various sectors.
CVE-2018-4063 (CVSS score: 8.8/9.9) is a high-risk file upload vulnerability that allows threat actors to execute remote code by sending a specially crafted HTTP request. This vulnerability enables attackers to bypass security measures and gain unauthorized access to systems.
CISA explained that “a specifically designed HTTP request can upload a file, resulting in the execution of malicious code on the web server.”
This flaw can be exploited when an attacker sends an authenticated HTTP request to trigger the vulnerability, which allows them to upload arbitrary files to the affected system.
The vulnerability was first discovered and disclosed by Cisco Talos in April 2019. They identified it as a remote code execution vulnerability within the ACEManager “upload.cgi” function of Sierra Wireless AirLink ES450 firmware version 4.9.3. Talos had reported the flaw to Sierra Wireless back in December 2018.
Sierra Wireless clarified that this vulnerability arises from a lack of restrictions in the file upload functionality within the AirLink 450 device.
When uploading template files, the file name can be arbitrarily specified, allowing an attacker to overwrite existing files on the device with malicious code. Some critical files, such as “fw_upload_init.cgi” and “fw_status.cgi,” already have executable permissions, making them prime targets for exploitation.
The situation is compounded by the fact that ACEManager operates with root-level privileges, meaning any uploaded executable or shell script runs with elevated permissions, effectively allowing attackers to gain full control of the compromised device.
CVE-2018-4063 was added to CISA’s KEV catalog following a 90-day honeypot analysis by Forescout, which revealed that industrial routers are among the most frequently targeted devices in operational technology (OT) environments. The analysis found that cybercriminals were actively exploiting several vulnerabilities to deliver botnet and cryptocurrency miner malware, including:
-
CVE-2024-12856 (Four-Faith routers)
-
CVE-2024-0012, CVE-2024-9474, and CVE-2025-0108 (Palo Alto Networks PAN-OS)
Additionally, Forescout reported that a newly identified threat group, Chaya_005, exploited CVE-2018-4063 in January 2024 to upload a malicious payload, “fw_upload_init.cgi.” However, no further exploitation attempts have been detected since then.
Forescout Research Vedere Labs indicated that Chaya_005 is likely a broader reconnaissance campaign, testing vulnerabilities across various vendors rather than focusing on a single flaw. The group no longer appears to pose a significant threat.
Given the active exploitation of CVE-2018-4063, Federal Civilian Executive Branch (FCEB) agencies have been strongly advised to either upgrade their devices to supported versions or discontinue their use by January 2, 2026, as the product will reach its end-of-life and no longer receive security updates.
