CVE ID: CVE-2018-4063

Severity: HIGH | CVSS: 8.8

Sources: 2 different security sources

Let Me Explain What Happened

Let me tell you about something important that's happening right now. On December 12th, 2025, CISA—that's the U.S. Cybersecurity and Infrastructure Security Agency—added a six-year-old vulnerability to their Known Exploited Vulnerabilities catalog. Now, you might be wondering why they're concerned about something from 2018. Here's what's going on: attackers are actively exploiting a flaw in Sierra Wireless AirLink routers that lets them upload malicious files and take complete control of these devices. These aren't just any routers—they're industrial-grade equipment used in critical infrastructure, manufacturing facilities, and remote operations where reliability matters most.

A Bit More Detail

The vulnerability lives in a component called upload.cgi, which is part of the router's web management interface. Think of it like a door that's supposed to check what you're bringing into a building, but instead it just lets anyone walk in with anything they want. When an attacker sends a specially crafted HTTP request to this component, they can upload executable code directly to the webserver. The concerning part? This vulnerability requires only low-level authentication—meaning an attacker doesn't need administrative privileges to exploit it. Once that malicious file is uploaded, it becomes accessible through the web interface, and the attacker can execute it remotely.

The Technical Specifics

• Attack Vector: NETWORK (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
• Affected Products: Sierra Wireless AirLink ES450 running firmware version 4.9.3 (and likely other ALEOS-based routers)
• CWE Classification: CWE-434 (Unrestricted Upload of File with Dangerous Type)
• Attack Complexity: Low—once an attacker has basic credentials, exploitation is straightforward
• Privileges Required: Low—only basic authenticated access needed
• Impact: Complete compromise of confidentiality, integrity, and availability
• Discovery Credit: Originally discovered and reported by Cisco Talos Intelligence in 2018

Why This Matters Now

Here's where I need to be straight with you. This vulnerability was first disclosed back in May 2019, and patches have been available for years. So why is CISA adding it to their KEV catalog now, in December 2025? Because they have evidence that attackers are actively exploiting it in the wild. This tells us something important: there are still unpatched Sierra Wireless routers out there, and adversaries know exactly how to find and compromise them.

According to research from Forescout, industrial routers like these are increasingly under attack. These devices often sit at the edge of operational technology (OT) networks, providing remote access to critical systems. When attackers compromise them, they gain a foothold into environments that control physical processes—manufacturing lines, power distribution, water treatment facilities, and transportation systems. The consequences can extend far beyond data theft into the realm of physical safety and operational disruption.

Understanding the Attack Chain

Let me walk you through how an attack using this vulnerability typically unfolds. First, the attacker needs to obtain low-level credentials for the router's web interface. They might do this through credential stuffing, phishing, or exploiting default passwords that were never changed. Once they have those credentials, they craft a malicious HTTP POST request to the upload.cgi endpoint. This request contains executable code disguised as a legitimate file upload.

Because the upload.cgi component doesn't properly validate what type of file is being uploaded or where it can be placed, the attacker's code gets written directly into a web-accessible directory. From there, the attacker simply needs to navigate to the uploaded file's URL, and the webserver executes their code with the privileges of the web application. At this point, they have remote code execution on the device and can pivot to other systems on the network, establish persistence, or disrupt operations.

What You Should Do About This

• Right Now—Immediate Actions:
  • Identify affected devices: Search your asset inventory for Sierra Wireless AirLink ES450 routers and other ALEOS-based devices. Don't forget about devices in remote locations or those managed by third-party service providers.
  • Check for compromise: Review web server logs on these devices for unusual POST requests to upload.cgi, especially those followed by GET requests to unexpected file paths. Look for recently created files in web-accessible directories that shouldn't be there.
  • Implement network segmentation: If you can't immediately patch, isolate these devices from critical systems and restrict management interface access to specific IP addresses through firewall rules.
  • Review authentication logs: Look for successful logins from unexpected IP addresses or at unusual times. Check if default credentials are still in use.
• For the Long Term—Sustainable Protection:
  • Apply firmware updates: Contact Sierra Wireless or check their support portal for the latest ALEOS firmware that addresses CVE-2018-4063. Test updates in a non-production environment first, then deploy systematically.
  • Harden authentication: Change all default credentials immediately. Implement strong, unique passwords for each device. Consider certificate-based authentication where supported.
  • Restrict management access: Disable remote management interfaces from the internet entirely if possible. Use VPN access for legitimate remote administration. Implement IP allowlisting for management interfaces.
  • Monitor continuously: Set up alerts for authentication attempts, configuration changes, and unusual network traffic patterns from these devices. Include them in your regular vulnerability scanning rotation.
  • Develop an OT security program: If you're managing industrial routers and OT equipment, you need specialized security practices. These devices often can't be patched as quickly as IT systems, so compensating controls become critical.

Detection and Hunting Guidance

If you're a security analyst or incident responder, here are some specific things to look for. In your SIEM or log analysis platform, search for HTTP POST requests to paths containing "upload.cgi" on Sierra Wireless device IP addresses. Pay particular attention to requests that return 200 OK responses followed shortly by GET requests to unusual file paths—this pattern suggests successful exploitation.

For network-based detection, look for outbound connections from these routers to unexpected destinations, especially command-and-control infrastructure. The devices should have predictable communication patterns; deviations warrant investigation. If you have the capability, examine the filesystem on suspected devices for recently modified files in web directories, particularly executable files or scripts that shouldn't be there.

The Broader Context

This situation illustrates a persistent challenge in operational technology and industrial control system security. These environments often run equipment with long lifecycles—devices that were installed years ago and are expected to operate for decades. The Sierra Wireless AirLink ES450 is a perfect example: it's ruggedized, reliable equipment designed for harsh environments and continuous operation. But that longevity becomes a security liability when vulnerabilities are discovered and patches aren't applied.

The fact that CISA added this to their KEV catalog in 2025—more than six years after the vulnerability was disclosed—tells us that patch management in OT environments remains a significant challenge. Federal agencies are now required to remediate KEV-listed vulnerabilities within specified timeframes, and CISA strongly recommends that all organizations do the same, regardless of sector.

Going Deeper: MITRE ATT&CK Mapping

For those of you who work with the MITRE ATT&CK framework, this vulnerability and its exploitation map to several techniques. The initial exploitation represents T1190: Exploit Public-Facing Application, as attackers target the web management interface. The file upload capability enables T1105: Ingress Tool Transfer, allowing attackers to bring additional tools onto the compromised device. Once code execution is achieved, attackers can establish T1505.003: Web Shell for persistent access. From there, they might perform T1018: Remote System Discovery to map the network and T1021: Remote Services to move laterally to other systems.

Understanding these techniques helps you build detection logic that looks for the broader attack pattern rather than just the specific vulnerability exploitation. Even if attackers find a different initial access method, the subsequent behaviors often follow similar patterns.

A Word of Encouragement

I know this might feel overwhelming, especially if you're discovering you have vulnerable devices in your environment. Take a breath. The fact that you're reading this and learning about the threat means you're already taking the right steps. Security is a journey, not a destination, and every improvement you make—every device you patch, every credential you strengthen, every alert you configure—makes your environment more resilient.

Start with what you can control today. Identify your Sierra Wireless devices, check their firmware versions, and make a plan. You don't have to fix everything at once, but you do need to start. And remember, you're not alone in this—the security community shares this information precisely so we can all help each other stay protected.

Where I Found This Information

• CISA - Known Exploited Vulnerabilities Catalog Alert (Credibility: 10)
• The Hacker News - CISA Adds Actively Exploited Sierra Wireless Router Flaw (Credibility: 7)
• Cisco Talos Intelligence - Original Vulnerability Report TALOS-2018-0748
• CISA ICS-CERT Advisory ICSA-19-122-03
• Forescout - OT Network Security: Industrial Routers Under Attack
• CISA KEV Catalog Entry for CVE-2018-4063
• Packet Storm Security - Technical Exploit Details

Note: This is automated security intelligence based on multiple sources. Always test updates carefully before applying them everywhere, especially in operational technology environments where availability is critical.