πŸ”΄ CVE-2018-4063

Remote code execution vulnerability in Sierra Wireless AirLink ES450 router allowing authenticated attackers to upload and execute malicious code via HTTP request to upload.cgi. This vulnerability is in CISA KEV indicating active exploitation in the wild.

← Back to Overview
HIGH_RISK
Risk Level
8.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 β€” Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2019-05-06

Added to CISA KEV: 2025-12-12 2412 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2018-4063 is a critical security vulnerability affecting Sierra Wireless AirLink ALEOS routers. It has been formally added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog due to evidence of active exploitation in the wild [1] [6].

Vulnerability Overview
  • Nature of Flaw: It is an unrestricted file upload vulnerability located in the `upload.cgi` functionality of the device's firmware [3] [2].
  • Impact: Successful exploitation allows an attacker to achieve Remote Code Execution (RCE) on the affected router [1] [4].
  • Severity: The vulnerability is classified as high severity, with CVSS scores reported as 8.8 or 9.9 depending on the assessment [4] [2].
Exploitation Details
  • Attack Method: Attackers can trigger the vulnerability by sending a specially crafted, authenticated HTTP request to the web server [2]. This request uploads a file that results in executable code being placed on and routable to the web server [2].
  • Requirements: Exploitation requires the attacker to have authentication credentials to make the necessary HTTP request [2].
  • Active Usage: The vulnerability is being actively targeted by threat actors. Observations from honeypot analysis indicate that attackers are using this flaw to deliver botnet malware and cryptocurrency miners, such as the RondoDox family [1] [2]. Specifically, a threat cluster identified as *Chaya_005* was observed weaponizing this flaw in early 2024 [5].
  • Ransomware: There is currently no widely reported evidence linking this specific vulnerability to major ransomware campaigns; observed activity has primarily focused on botnets and cryptojacking [1] [2].
Affected Products and Mitigation
  • Affected Versions: The vulnerability was initially identified in Sierra Wireless AirLink ES450 running firmware version 4.9.3 [3].
  • Mitigation: Users are urged to consult official security advisories from Sierra Wireless to determine if their specific device and firmware version are affected and to apply the necessary patches or security updates provided by the vendor. Given its inclusion in the CISA KEV catalog, immediate remediation is strongly recommended for any exposed devices.

Sources

  1. Critical Sierra Wireless AirLink ALEOS Router Vulnerability (CVE ...

    The flaw, tracked as CVE-2018-4063, enables remote code execution (RCE) via an unrestricted file upload mechanism. This vulnerability is being ... The flaw, tracked as CVE-2018-4063, enables remote code execution (RCE) via an unrestricted file upload mechanism. This vulnerability is being actively t…

  2. CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling...

    CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code execution by means of a malicious HTTP request. "A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to th…

  3. CVE-2018-4063 Detail - NVD

    Description. An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. ... Reference Type. CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-4063 Types: US Government Resource. Added.ht…

  4. CISA Alerts on Exploited Vulnerability in Sierra Wireless AirLink...

    The CVE-2018-4063 vulnerability is classified as an unrestricted file upload flaw. It carries a Common Vulnerability Scoring System (CVSS) score of either 8.8 or 9.9, signaling its high severity. The weakness allows attackers to potentially conduct remote code execution on vulnerable devices. This c…

  5. CISA Flags Sierra Wireless Router Flaw CVE-2018-4063 - LinkedIn

    Active Exploitation: Threat cluster *Chaya_005* weaponized this flaw in early 2024, attempting to deliver malicious payloads. Broader Risk ...

  6. CISA Adds One Known Exploited Vulnerability to Catalog

    CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2018-4063…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed