CVE-2023-40464
published 2023-12-04CVE-2023-40464: Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially…
PriorityP335medium6.8CVSS 3.1
AVNACHPRLUINSUCHIHAN
EPSS
0.30%
21.2th percentile
Several versions of
ALEOS, including ALEOS 4.16.0, use a hardcoded
SSL certificate and
private key. An attacker with access to these items
could potentially
perform a man in the middle attack between the
ACEManager client
and ACEManager server.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sierrawireless | aleos | <= 4.16.0 | — |
| sierrawireless | aleos | 4.10 – 4.16 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Sierra Wireless AirLink with ALEOS firmware
cisa_ics·2023-12-07·CVSS 7.5
[HIGH] Sierra Wireless AirLink with ALEOS firmware
ICS Advisory
##
Sierra Wireless AirLink with ALEOS firmware
Release DateDecember 07, 2023
Alert CodeICSA-23-341-06
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 8.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Sierra Wireless
- Equipment: AirLink
- Vulnerabilities: Infinite Loop, NULL Pointer Dereference, Cross-site Scripting, Reachable Assertion, Use of Hard-coded Credentials, Use of Hard-coded Cryptographic Key
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution to take full control of the device, steal credentials through a cross site scripting attack, or crash the device being accessed through a denial-of-service attack.
## 3. TECHNICAL DETAILS
## 3.1 AFFEC
GHSA
GHSA-hq59-x6xq-jvxw: Several versions of
ALEOS, including ALEOS 4
ghsa_unreviewed·2023-12-05
CVE-2023-40464 [HIGH] CWE-321 GHSA-hq59-x6xq-jvxw: Several versions of
ALEOS, including ALEOS 4
Several versions of
ALEOS, including ALEOS 4.16.0, use a hardcoded
SSL certificate and
private key. An attacker with access to these items
could potentially
perform a man in the middle attack between the
ACEManager client
and ACEManager server.
No detection rules found.
No public exploits indexed.
arXiv
Automatic Generation of a Cryptography Misuse Taxonomy Using Large Language Models
arxiv_fulltext·2025-09-13
Automatic Generation of a Cryptography Misuse Taxonomy Using Large Language Models
## Abstract
The prevalence of cryptographic API misuse (CAM) is compromising the effectiveness of cryptography and in turn the security of modern systems and applications. Despite extensive efforts to develop CAM detection tools, these tools typically rely on a limited set of predefined rules from human-curated knowledge. This rigid, rule-based approach hinders adaptation to evolving CAM patterns in real practices.
We propose leveraging large language models (LLMs), trained on publicly available cryptography-related data, to automatically detect and classify CAMs in real-world code to address this limitation. Our method enables the development and continuous expansion of a CAM taxonomy, supporting developers and detection tools in tracking and understanding emerging CAM patterns. Specifi
Bleepingcomputer
"Sierra:21" vulnerabilities impact critical infrastructure routers
blogs_bleepingcomputer·2023-12-06·CVSS 9.8
[CRITICAL] "Sierra:21" vulnerabilities impact critical infrastructure routers
## "Sierra:21" vulnerabilities impact critical infrastructure routers
## Bill Toulas
Various models are used in complex scenarios like passenger WiFi in transit systems, vehicle connectivity for emergency services, long-range gigabit connectivity to field operations, and various other performance-intensive tasks.
Forescout says Sierra routers are found in government systems, emergency services, energy, transportation, water and wastewater facilities, manufacturing units, and healthcare organizations.
## Flaws and impact
Forescout’s researchers discovered 21 new vulnerabilities in Sierra AirLink cellular routers and the TinyXML and OpenNDS components, which are part of other products, too.
Only one of the security issues has been rated critical, eight of them received a high severity
2023-12-04
Published