The U.S. Cybersecurity and Infrastructure Security Agency has added a high severity vulnerability affecting Sierra Wireless AirLink routers to its Known Exploited Vulnerabilities catalog after confirming evidence of active exploitation. The flaw, tracked as CVE-2018-4063, impacts devices running ALEOS firmware and carries a CVSS severity score ranging from 8.8 to 9.9. CISA’s action signals that the issue is no longer theoretical and is being leveraged in real world attack activity, increasing risk for organizations that continue to operate affected hardware in production environments.
CVE-2018-4063 is an unrestricted file upload vulnerability that allows authenticated attackers to achieve remote code execution by sending a specially crafted HTTP request. According to CISA, the flaw enables attackers to upload executable files directly to the device web server, where they can be accessed and run. The issue originates in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 routers, specifically firmware version 4.9.3. Technical details of the vulnerability were first disclosed by Cisco Talos in April 2019 after the security team reported the issue to Sierra Wireless in December 2018. Talos explained that when template files are uploaded through the management interface, users can specify arbitrary file names, and the system does not enforce restrictions to prevent overwriting existing operational files.
Because some files within the affected directory already have executable permissions, an attacker can upload a malicious file using the same name as a trusted executable such as fw_upload_init.cgi or fw_status.cgi. Once overwritten, the malicious file inherits the original permissions, allowing it to execute on the device. The risk is amplified by the fact that ACEManager operates with root privileges, meaning any uploaded script or binary runs with full system level access. This combination makes the vulnerability particularly dangerous in operational technology environments where these routers are often deployed to support industrial control systems, logistics infrastructure, and remote monitoring networks.
The inclusion of this flaw in the KEV catalog follows a honeypot study conducted by Forescout over a 90 day period, which found that industrial routers are among the most frequently targeted assets in OT environments. The analysis revealed attempts to deploy botnet malware and cryptocurrency miners, including RondoDox, Redtail, and ShadowV2, by exploiting known vulnerabilities across multiple vendors. In addition to CVE-2018-4063, attackers were observed targeting flaws in Four Faith routers tracked as CVE-2024-12856, as well as several Palo Alto Networks PAN OS vulnerabilities including CVE-2024-0012, CVE-2024-9474, and CVE-2025-0108. These findings highlight a sustained focus on network edge devices as entry points for persistent access and lateral movement.
Forescout researchers also identified activity linked to a previously undocumented threat cluster labeled Chaya_005, which weaponized CVE-2018-4063 in early January 2024. The group attempted to upload a malicious payload using the filename fw_upload_init.cgi, mirroring the exploitation technique described by Cisco Talos years earlier. While no further successful exploitation attempts tied to this cluster have been observed since that period, researchers assessed the activity as part of a broader reconnaissance effort probing multiple vendor vulnerabilities rather than a focused campaign. As a result, Chaya_005 is no longer considered a significant active threat, though the underlying exposure remains.
In response to confirmed exploitation, CISA has issued guidance for Federal Civilian Executive Branch agencies, advising them to update affected Sierra Wireless devices to a supported firmware version or discontinue use of the product entirely. The agency set a remediation deadline of January 2, 2026, noting that the affected hardware has reached end of support status. Organizations outside the federal sector operating Sierra Wireless AirLink routers in critical or industrial environments face similar exposure and are encouraged to assess their risk posture, given the continued interest from threat actors in exploiting long standing but unpatched vulnerabilities in network infrastructure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
