The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a high-severity vulnerability affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog. This move follows reports of unauthorized actors actively exploiting the flaw, identified as CVE-2018-4063, in real-world attacks. The vulnerability presents a significant risk to network security within industrial and operational technology environments.
CVE-2018-4063, carrying a base CVSS score of 8.8 and a potential score of 9.9, is an unrestricted file upload vulnerability. Threat actors can leverage this flaw to achieve remote code execution by sending a specially crafted malicious HTTP request. This allows for the unauthorized upload and execution of code on the affected router, regardless of whether the attacker has initial network access. CISA has mandated that federal agencies address this vulnerability by January 2, 2026.
Sierra Wireless Router Vulnerability Added to CISA’s KEV Catalog
The discovery and public disclosure of CVE-2018-4063 date back to April 2019, when Cisco Talos initially detailed the six-year-old flaw. Talos, a threat intelligence firm, reported the vulnerability to Sierra Wireless in December 2018. The issue resides within the ACEManager’s “upload.cgi” function in ALEOS firmware version 4.9.3.
According to Talos’s analysis, the vulnerability stems from the permissive file upload functionality associated with templates within the Sierra Wireless AirLink 450. Attackers can exploit this by uploading a file and specifying a name that already exists within a target directory on the device. Crucially, the system lacks sufficient restrictions to prevent overwriting existing files, leading to the inheritance of permissions.
This exploit becomes particularly potent because some pre-existing files within the relevant directory, such as “fw_upload_init.cgi” or “fw_status.cgi,” possess executable permissions. By uploading a malicious file with one of these identical names to the “/cgi-bin/upload.cgi” endpoint, an attacker can effectively achieve remote code execution. Furthermore, the ACEManager component operates with root privileges, meaning any uploaded executable or shell script will run with elevated permissions, granting significant control over the device.
Active Exploitation and Broader Threat Landscape
The inclusion of CVE-2018-4063 in the KEV catalog is timely, as a recent Forescout analysis highlighted industrial routers as the most frequently targeted devices in operational technology (OT) environments. Over a 90-day period, Forescout researchers observed threat actors attempting to deploy botnet and cryptocurrency mining malware, including families like RondoDox, Redtail, and ShadowV2, by exploiting various vulnerabilities.
The Forescout report specifically mentioned a previously undocumented threat cluster identified as Chaya_005. This cluster weaponized CVE-2018-4063 in early January 2024, successfully uploading an unspecified malicious payload under the filename “fw_upload_init.cgi.” While no further exploitation by this specific cluster has been observed since then, it underscores the continued relevance of this vulnerability.
Forescout Research – Vedere Labs characterized Chaya_005 as a broad reconnaissance campaign, suggesting it was testing multiple vendor vulnerabilities rather than concentrating on a single exploit. Consequently, the cluster is not currently considered a significant threat. However, the active exploitation of CVE-2018-4063 serves as a critical reminder of the persistent risks faced by organizations relying on vulnerable network infrastructure.
Given the active exploitation and the end-of-support status of affected Sierra Wireless AirLink ALEOS router versions, Federal Civilian Executive Branch (FCEB) agencies are strongly advised to update their devices to a currently supported version or to decommission the affected products entirely. The deadline for compliance with CISA’s directive is set for January 2, 2026.