The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability in Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of ongoing real-world exploitation.

CVE-2018-4063 (CVSS score: 8.8/9.9) is an unrestricted file upload issue that can be abused for remote code execution using a crafted HTTP request.

“A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver,” the agency said. “An attacker can make an authenticated HTTP request to trigger this vulnerability.”

Details of the six-year-old vulnerability were published by Cisco Talos in April 2019, characterizing it as a remote code execution issue in the ACEManager “upload.cgi” handler in Sierra Wireless AirLink ES450 firmware version 4.9.3. Talos initially reported the problem to the vendor in December 2018.

“This vulnerability exists in the file upload capability of templates within the AirLink 450,” the company said. “When uploading template files, you can specify the name of the file that you are uploading.”

“There are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.”

Talos highlighted that several files present in the relevant directory (e.g., “fw_upload_init.cgi” or “fw_status.cgi”) are executable on the device. As a result, an attacker can issue HTTP requests to the “/cgi-bin/upload.cgi” endpoint and upload a file using one of these names to obtain code execution.

The impact is further amplified because ACEManager runs with root privileges, so any shell script or binary delivered through this path executes with full system privileges on the device.

The inclusion of CVE-2018-4063 in the KEV catalog follows a 90-day honeypot study by Forescout, which observed that industrial routers are currently the most frequently targeted assets in operational technology (OT) environments. Adversaries were seen attempting to deploy botnet and cryptocurrency miner malware families such as RondoDox, Redtail, and ShadowV2 by abusing the following vulnerabilities –

• CVE-2024-12856 (Four-Faith routers)
• CVE-2024-0012, CVE-2024-9474, and CVE-2025-0108 (Palo Alto Networks PAN-OS)

Forescout also observed activity from a previously untracked threat cluster dubbed Chaya_005, which leveraged CVE-2018-4063 in early January 2024 to upload an unidentified malicious payload named “fw_upload_init.cgi.” No additional successful exploitation from this cluster has been seen since that time.

“Chaya_005 appears to be a broader reconnaissance campaign testing multiple vendor vulnerabilities rather than focusing on a single one,” Forescout Research – Vedere Labs said, noting that the cluster is probably no longer a “significant threat.”

Given the confirmed exploitation of CVE-2018-4063, Federal Civilian Executive Branch (FCEB) agencies are directed to upgrade affected devices to a supported version or fully decommission the product by January 2, 2026, because it is now end-of-support.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.