Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following confirmed reports of active exploitation in the wild. The flaw, tracked as CVE-2018-4063, enables remote code execution (RCE) via an unrestricted file upload mechanism. This vulnerability is being actively targeted by threat actors, with exploitation observed in campaigns delivering botnet and cryptocurrency miner malware.

Technical Details

• Vulnerability: CVE-2018-4063

• CVSS v3 Score: 9.1 (Critical)

• Vulnerability Type: Unrestricted upload of file with dangerous type (CWE-434)

• Attack Vector: Authenticated HTTP request to the router’s web interface (

  /cgi-bin/upload.cgi

  )

• Exploitability: Remotely exploitable, low skill level required, public exploits available

Exploitation Mechanism

• The vulnerability resides in the

  upload.cgi

  function of the ACEManager web interface.

• Attackers can upload arbitrary files via a specially crafted HTTP request.

• If a file is uploaded with the same name as an existing executable (e.g.,

  fw_upload_init.cgi

  or

  fw_status.cgi

  ), the new file inherits executable permissions.

• Since ACEManager runs as root, any uploaded shell script or executable is run with root privileges, enabling full device compromise.

References: - CISA ICS Advisory ICSA-19-122-03 - CISA KEV Catalog - NVD CVE-2018-4063 - The Hacker News Coverage

Complete List of Affected Product Versions

According to CISA ICS Advisory ICSA-19-122-03, the following Sierra Wireless AirLink ALEOS products and versions are affected by CVE-2018-4063:

• LS300, GX400, GX440, ES440: All versions prior to 4.4.9

• GX450, ES450: All versions prior to 4.9.4

• MP70, MP70E, RV50, RV50X, LX40, LX60: All versions prior to 4.12

Summary Table:

| Product Model | Affected Versions | Fixed In Version | |---------------------- |------------------------- |-------------------| | LS300 | < 4.4.9 | 4.4.9 | | GX400 | < 4.4.9 | 4.4.9 | | GX440 | < 4.4.9 | 4.4.9 | | ES440 | < 4.4.9 | 4.4.9 | | GX450 | < 4.9.4 | 4.9.4.p09 | | ES450 | < 4.9.4 | 4.9.4.p09 | | MP70 | < 4.12 | 4.12 | | MP70E | < 4.12 | 4.12 | | RV50 | < 4.12 | 4.12 | | RV50X | < 4.12 | 4.12 | | LX40 | < 4.12 | 4.12 | | LX60 | < 4.12 | 4.12 |

Exploitation in the Wild

• Active Exploitation: Confirmed by CISA and multiple security research groups.

• Threat Actor: A previously undocumented cluster, "Chaya_005," exploited CVE-2018-4063 in January 2024 to upload a malicious payload named

  fw_upload_init.cgi

  .

• Malware Delivered: Botnet and cryptocurrency miner families, including RondoDox, Redtail, and ShadowV2, have been observed in related router exploitation campaigns.

• Campaign Nature: Chaya_005 appears to be conducting broad reconnaissance, testing multiple vendor vulnerabilities, not solely focused on Sierra Wireless.

Honeypot Analysis: - Forescout’s Vedere Labs observed that industrial routers are the most attacked OT devices, with this vulnerability being actively targeted.

Indicators of Compromise (IOCs)

• Malicious File Names:

• fw_upload_init.cgi

• fw_status.cgi

• HTTP Requests:

• POST requests to

  /cgi-bin/upload.cgi

  with suspicious or unauthorized file uploads.

• Unusual Processes:

• Unexpected executable files in the router’s web directory.

• Network Traffic:

• Outbound connections to known botnet or crypto-mining C2 infrastructure.

MITRE ATT&CK Mapping

• T1190: Exploit Public-Facing Application

• Attackers exploit the router’s web interface to gain access.

• T1059: Command and Scripting Interpreter

• Uploaded scripts are executed with root privileges.

• T1078: Valid Accounts

• Exploitation requires authentication; attackers may use default or compromised credentials.

APT/Threat Actor Attribution

• Chaya_005:

• Identified by Forescout as a threat cluster conducting broad reconnaissance and exploitation of multiple router vulnerabilities, including CVE-2018-4063.

• No evidence links this activity to a known APT group, and the campaign appears to have ceased as of early 2024.

Mitigation and Remediation

• End-of-Support:

• Sierra Wireless AirLink ES450 and affected firmware versions are end-of-life. CISA advises updating to a supported version or discontinuing use by January 2, 2026.

• Immediate Actions:

• Audit devices for signs of compromise (see IOCs above).

• Remove or isolate vulnerable devices from critical networks.

• Change default credentials and enforce strong authentication.

• Monitor for suspicious HTTP POST requests to

  /cgi-bin/upload.cgi

  .

• Apply vendor patches:

  • LS300, GX400, GX440, ES440: ALEOS 4.4.9

  • GX450, ES450: ALEOS 4.9.4.p09

  • MP70, MP70E, RV50, RV50X, LX40, LX60: ALEOS 4.12

• Detection:

• SNORT Rules: 48600, 48635, 48614 - 48621, 48747

References

• CISA ICS Advisory ICSA-19-122-03

• CISA KEV Catalog Entry for CVE-2018-4063

• NVD CVE-2018-4063

• The Hacker News: CISA Adds Actively Exploited Sierra Wireless Router Flaw

• Cisco Talos: Sierra Wireless ACEManager Vulnerability

• Forescout Vedere Labs: OT Router Attacks

• Security Affairs: CISA Adds Sierra Wireless Flaw to KEV

Additional Resources

• MITRE ATT&CK T1190

• MITRE ATT&CK T1059

• MITRE ATT&CK T1078

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their extended supply chain and digital ecosystem. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify vulnerabilities, prioritize remediation, and ensure compliance with industry standards. By leveraging Rescana, organizations gain actionable insights and enhanced visibility into their cyber risk posture, enabling informed decision-making and resilient operations.

We are happy to answer any questions at ops@rescana.com.