Significant Vulnerability Found in Sierra Wireless Routers
On December 13, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning regarding a critical vulnerability affecting Sierra Wireless AirLink ALEOS routers. This flaw has been officially listed in the agency’s Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation.
Understanding the Vulnerability
Identified as CVE-2018-4063, this vulnerability boasts a high severity ranking with a CVSS score ranging between 8.8 and 9.9. Essentially, it represents an unrestricted file upload risk that can be leveraged to execute arbitrary code remotely through specially crafted HTTP requests. CISA precision outlines, “A malicious HTTP request could upload a file, thereby running executable code on the web server.” In this scenario, an attacker must be authenticated to trigger the vulnerability effectively.
The Technical Details
This issue, which has lingered for over six years, was first publicly disclosed by Cisco Talos back in April 2019. They categorized it as an exploitative remote code execution flaw within the ACEManager’s “upload.cgi” function, particularly affecting the Sierra Wireless AirLink ES450 firmware version 4.9.3. Cisco Talos reported the flaw to Sierra Wireless in December 2018.
The vulnerability stems from the file upload functionality in the device templates. An attacker can specify the name of the file being uploaded. Notably, if the file name matches that of an existing file in the directory, it can override the original file and inherit its permissions. This means that if an attacker uploads a file with the same name as an existing executable (for example, “fw_upload_init.cgi” or “fw_status.cgi”), it could lead to remote code execution, as ACEManager operates with root-level privileges.
Recent Exploit Patterns and Attacks
In recent analysis conducted by Forescout, it was revealed that industrial routers, including systems running on Sierra Wireless firmware, are under constant attack in operational technology (OT) environments. The report identified various malware types—like RondoDox, Redtail, and ShadowV2—aimed at exploiting similar vulnerabilities in these devices.
Moreover, a previously unknown threat group referred to as Chaya_005 has been discovered weaponizing CVE-2018-4063. In early January 2024, they were able to upload a malicious payload named “fw_upload_init.cgi.” Fortunately, there have been no further recorded exploits involving this group since that time, leading researchers to categorize them as having diminished threat levels.
Recommendations for Agencies
Given the active exploitation of CVE-2018-4063, CISA recommends immediate action for Federal Civilian Executive Branch (FCEB) agencies. They should consider updating their devices to a supported version or planning to discontinue use of the affected products by January 2, 2026—this line of routers has officially reached end-of-support status.
The rapid evolution of cyber threats underscores the necessity for organizations to maintain vigilance regarding the security of their infrastructure. With the increasing frequency of attacks targeting network devices, it becomes crucial to stay informed and proactive in addressing potential vulnerabilities.
