- CISA added a high-severity vulnerability in Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities catalog due to active exploitation.
- CVE-2018-4063 allows remote code execution via an unrestricted file upload vulnerability in the router’s ACEManager “upload.cgi” function.
- Exploitation involves sending authenticated HTTP requests to upload executable files with root privileges.
- Forescout analysis confirmed industrial routers as heavily targeted, with active attacks by the threat group Chaya_005 using this vulnerability.
- Federal agencies are urged to update or discontinue affected devices by January 2, 2026, as support has ended.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on December 12, 2025, added a critical vulnerability affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog. The decision follows confirmed reports of active exploitation of CVE-2018-4063, a flaw enabling remote code execution through an unrestricted file upload mechanism.
CVE-2018-4063, with a CVSS score between 8.8 and 9.9, resides in the ACEManager “upload.cgi” component of the AirLink ES450 firmware version 4.9.3. The vulnerability permits an attacker to send a specially crafted authenticated HTTP request to upload executable code to the router’s webserver. This occurs because uploaded files can overwrite existing ones without restrictions, inheriting executable permissions. Given that ACEManager runs with root privileges, uploaded scripts execute with elevated access, increasing the risk severity.
The vulnerability was first disclosed publicly by Cisco Talos in April 2019, after reporting it to Sierra Wireless in December 2018. Talos noted that critical files such as “fw_upload_init.cgi” can be replaced via this flaw, leading to full control over the device.
A recent 90-day honeypot study by Forescout identified industrial routers as prime targets in operational technology environments. Attackers often attempt to deploy Malware, including botnets and cryptocurrency miners like RondoDox, Redtail, and ShadowV2, by exploiting vulnerabilities including CVE-2018-4063. Notably, a previously unknown threat cluster named Chaya_005 weaponized this flaw in January 2024 to upload malicious payloads named “fw_upload_init.cgi.” Since then, no further successful exploitations have been observed, with Forescout deeming Chaya_005 not a “significant threat” anymore.
Due to ongoing exploitation risks and the product reaching end-of-support status, Federal Civilian Executive Branch (FCEB) agencies are advised to upgrade affected devices to a supported firmware version or discontinue their use by January 2, 2026, according to CISA’s advisory available here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- XRP’s Future Uncertain Amid Layer 1 Collapse Fears and Adoption
- Silver Surpasses Amazon and Bitcoin in Market Cap at $3.4T
- Itaú Recommends 1-3% Bitcoin Allocation for Portfolios in 2026
- Apple Patches Two Exploited WebKit Zero-Days in Major Update
- Crypto Groups Oppose Citadel’s SEC Push on DeFi Stock Rules
