CVE-2018-4063
published 2019-05-06CVE-2018-4063: An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP…
PriorityP187high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-01-02
Exploited in the wild
EPSS
28.06%
97.9th percentile
An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sierrawireless | aleos | < 4.4.9 | 4.4.9 |
| sierrawireless | aleos | < 4.11.0 | 4.11.0 |
| sierrawireless | aleos | < 4.9.4 | 4.9.4 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for authenticated HTTP requests targeting the upload.cgi endpoint on Sierra Wireless AirLink ES450 devices, particularly those uploading executable file types. ↗
- →Uploaded executable files become routable/accessible via the webserver — hunt for unexpected executable files served from the device's web root following upload.cgi requests. ↗
- ·Exploitation requires authentication; unauthenticated access alone is insufficient to trigger the vulnerability. Detection should account for valid session credentials being used. ↗
- ·The affected firmware version is specifically 4.9.3 on the Sierra Wireless AirLink ES450. Devices on other firmware versions may not be confirmed vulnerable. ↗
- ·The impacted product may be end-of-life/end-of-service; patches may not be available and device retirement should be considered. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-96pr-35f4-cf4c: An exploitable remote code execution vulnerability exists in the upload
ghsa_unreviewed·2022-05-24
CVE-2018-4063 [HIGH] CWE-434 GHSA-96pr-35f4-cf4c: An exploitable remote code execution vulnerability exists in the upload
An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.
VulnCheck
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
vulncheck·2018·CVSS 8.8
CVE-2018-4063 [HIGH] CWE-434 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Affected: Sierra Wireless AirLink ALEOS
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.fores
CISA
Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
cisa·2025-12-12·CVSS 8.8
CVE-2018-4063 [HIGH] CWE-434 Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
Vulnerability: Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type Vulnerability
Affected: Sierra Wireless AirLink ALEOS
Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.cisa.gov/
CISA ICS
Sierra Wireless AirLink ALEOS (Update B)
cisa_ics·2019-08-20·CVSS 8.8
[HIGH] Sierra Wireless AirLink ALEOS (Update B)
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Sierra Wireless AirLink ALEOS (Update B)
Last RevisedApril 23, 2020
Alert CodeICSA-19-122-03
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.1
- ATTENTION: Exploitable remotely/low skill level to exploit/public exploits are available
- Vendor: Sierra Wireless
- Equipment: AirLink ALEOS
- Vulnerabilities: OS Command Injection, Use of Hard-coded Credentials, Unrestricted Upload of File with Dangerous Type, Cross-site Scripting, Cross-site Request Forgery, Information Exposure, Missing Encryption of Sensitive Data
## 2. UPDATE INFORMATION
This updated advisory is a follow-up to the origi
No detection rules found.
No public exploits indexed.
Talos
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
blogs_talos·2023-08-02
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
## The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
Since the discovery of the widespread VPNFilter malware in 2018 , Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.
During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
There are several Snort rules that can detect possible exploitation of the vulnerabilitie
Talos
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
blogs_talos·2023-08-02
The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter
- Since the discovery of the widespread VPNFilter malware in 2018, Cisco Talos researchers have been researching vulnerabilities in small and home office (SOHO) and industrial routers.
- During that research, Talos has worked with vendors to report and mitigate these vulnerabilities, totaling 141 advisories covering 289 CVEs across multiple routers.
- Talos is highlighting some of the major issues our researchers discovered over the past several years, including vulnerabilities that an attacker could mostly directly access or those an adversary could chain together to gain elevated access to the devices.
- There are several Snort rules that can detect possible exploitation of the vulnerabilities included in this post.
Small office/home office (SOHO) routers and small-scale industrial rout
Talos
Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450
blogs_talos·2019-04-25·CVSS 8.8
[HIGH] Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450
## Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450
Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios. The majority of these vulnerabilities exist in ACEManager, the web server included with the ES450. ACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management. In accordance with our coordinated disc
Talos
Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450
blogs_talos·2019-04-25·CVSS 8.8
[HIGH] Vulnerability Spotlight: Multiple vulnerabilities in Sierra Wireless AirLink ES450
Several exploitable vulnerabilities exist in the Sierra Wireless AirLink ES450, an LTE gateway designed for distributed enterprise, such as retail point-of-sale or industrial control systems. These flaws present a number of attack vectors for a malicious actor, and could allow them to remotely execute code on the victim machine, change the administrator’s password and expose user credentials, among other scenarios. The majority of these vulnerabilities exist in ACEManager, the web server included with the ES450. ACEManager is responsible for the majority of interactions on the device, including device reconfiguration, user authentication and certificate management.
In accordance with our coordinated disclosure policy, Cisco Talos worked with Sierra Wireless to ensure that these issues are
Recorded Future
December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
blogs_recorded_future·CVSS 7.8
CVE-2025-55182 [HIGH] December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
# December 2025 CVE Landscape: 22 Critical Vulnerabilities Mark 120% Surge, React2Shell Dominates Threat Activity
December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.
What security teams need to know:
- React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
- China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
- Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-conce
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/152648/Sierra-Wireless-AirLink-ES450-ACEManager-upload.cgi-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/108147https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03https://talosintelligence.com/vulnerability_reports/TALOS-2018-0748http://packetstormsecurity.com/files/152648/Sierra-Wireless-AirLink-ES450-ACEManager-upload.cgi-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/108147https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03https://talosintelligence.com/vulnerability_reports/TALOS-2018-0748https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4063https://www.forescout.com/blog/ot-network-security-threats-industrial-routers-under-attack/
2019-05-06
Published
2025-12-12
Added to CISA KEV
Exploited in the wild