⚠ Actively exploited
Added to CISA KEV on 2025-12-12. Federal agencies required to patch by 2026-01-02. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..
CVE-2018-4063 — Unrestricted File Upload in Aleos
Severity
8.8HIGHNVD
EPSS
0.8%
top 25.85%
CISA KEV
KEV
Added 2025-12-12
Due 2026-01-02
Exploit
No known exploits
Affected products
Timeline
PublishedMay 6
KEV addedDec 12
KEV dueJan 2
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Description
An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9
Affected Packages1 packages
🔴Vulnerability Details
2📋Vendor Advisories
2🕵️Threat Intelligence
6Talos▶
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter↗2023-08-02
Talos▶
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter↗2023-08-02
Recorded Future▶
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity↗