The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.
CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code execution by means of a malicious HTTP request.
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
“A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver,” the agency said. “An attacker can make an authenticated HTTP request to trigger this vulnerability.”
Details of the six-year-old flaw were publicly shared by Cisco Talos in April 2019, describing it as an exploitable remote code execution vulnerability in the ACEManager “upload.cgi” function of Sierra Wireless AirLink ES450 firmware version 4.9.3. Talos reported the flaw to the Canadian company in December 2018.
“This vulnerability exists in the file upload capability of templates within the AirLink 450,” the company said. “When uploading template files, you can specify the name of the file that you are uploading.”
“There are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.”
Talos noted that some of the files that exist in the directory (e.g., “fw_upload_init.cgi” or “fw_status.cgi”) have executable permissions on the device, meaning an attacker can send HTTP requests to the “/cgi-bin/upload.cgi” endpoint to upload a file with the same name to achieve code execution.
This is compounded by the fact that ACEManager runs as root, thereby causing any shell script or executable uploaded to the device to also run with elevated privileges.
The addition of CVE-2018-4063 to the KEV catalog comes a day after a honeypot analysis conducted by Forescout over a 90-day period revealed that industrial routers are the most attacked devices in operational technology (OT) environments, with threat actors attempting to deliver botnet and cryptocurrency miner malware families like RondoDox, Redtail, and ShadowV2 by exploiting the following flaws –
- CVE-2024-12856 (Four-Faith routers)
- CVE-2024-0012, CVE-2024-9474, and CVE-2025-0108 (Palo Alto Networks PAN-OS)
Attacks have also been recorded from a previously undocumented threat cluster named Chaya_005 that weaponized CVE-2018-4063 in early January 2024 to upload an unspecified malicious payload with the name “fw_upload_init.cgi.” No further successful exploitation efforts have been detected since then.
“Chaya_005 appears to be a broader reconnaissance campaign testing multiple vendor vulnerabilities rather than focusing on a single one,” Forescout Research – Vedere Labs said, adding it’s likely the cluster is no longer a “significant threat.”
In light of active exploitation of CVE-2018-4063, Federal Civilian Executive Branch (FCEB) agencies are advised to update their devices to a supported version or discontinue the use of the product by January 2, 2026, since it has reached end-of-support status.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Apple Issues Security Updates After Two WebKit Flaws Found Exploited in the Wild