CVE-2023-40464 — Use of Hard-coded Cryptographic Key in Aleos

CWE-321 — Use of Hard-coded Cryptographic Key CWE-798 — Hard-coded Credentials5 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

0.0%

top 99.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Sierrawireless Aleos

Timeline

PublishedDec 4

Latest updateSep 13

Description

Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items could potentially perform a man in the middle attack between the ACEManager client and ACEManager server.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 1.6 | Impact: 5.2

Affected Packages2 packages

▶CVEListV5sierrawireless/aleos4.10 — 4.16

▶NVDsierrawireless/aleos4.16.0

🔴Vulnerability Details

GHSA

GHSA-hq59-x6xq-jvxw: Several versions of ALEOS, including ALEOS 4↗2023-12-05

▶

📋Vendor Advisories

CISA ICS

Sierra Wireless AirLink with ALEOS firmware↗2023-12-07

▶

🕵️Threat Intelligence

Bleepingcomputer

"Sierra:21" vulnerabilities impact critical infrastructure routers↗2023-12-06

▶

📄Research Papers

arXiv

Automatic Generation of a Cryptography Misuse Taxonomy Using Large Language Models↗2025-09-13

▶