Headline
CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code
Network Security / Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added a high-severity flaw impacting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild.
CVE-2018-4063 (CVSS score: 8.8/9.9) refers to an unrestricted file upload vulnerability that could be exploited to achieve remote code execution by means of a malicious HTTP request.
“A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver,” the agency said. “An attacker can make an authenticated HTTP request to trigger this vulnerability.”
Details of the six-year-old flaw were publicly shared by Cisco Talos in April 2019, describing it as an exploitable remote code execution vulnerability in the ACEManager “upload.cgi” function of Sierra Wireless AirLink ES450 firmware version 4.9.3. Talos reported the flaw to the Canadian company in December 2018.
“This vulnerability exists in the file upload capability of templates within the AirLink 450,” the company said. “When uploading template files, you can specify the name of the file that you are uploading.”
“There are no restrictions in place that protect the files that are currently on the device, used for normal operation. If a file is uploaded with the same name of the file that already exists in the directory, then we inherit the permissions of that file.”
Talos noted that some of the files that exist in the directory (e.g., “fw_upload_init.cgi” or “fw_status.cgi”) have executable permissions on the device, meaning an attacker can send HTTP requests to the “/cgi-bin/upload.cgi” endpoint to upload a file with the same name to achieve code execution.
This is compounded by the fact that ACEManager runs as root, thereby causing any shell script or executable uploaded to the device to also run with elevated privileges.
The addition of CVE-2018-4063 to the KEV catalog comes a day after a honeypot analysis conducted by Forescout over a 90-day period revealed that industrial routers are the most attacked devices in operational technology (OT) environments, with threat actors attempting to deliver botnet and cryptocurrency miner malware families like RondoDox, Redtail, and ShadowV2 by exploiting the following flaws -
- CVE-2024-12856 (Four-Faith routers)
- CVE-2024-0012, CVE-2024-9474, and CVE-2025-0108 (Palo Alto Networks PAN-OS)
Attacks have also been recorded from a previously undocumented threat cluster named Chaya_005 that weaponized CVE-2018-4063 in early January 2024 to upload an unspecified malicious payload with the name “fw_upload_init.cgi.” No further successful exploitation efforts have been detected since then.
“Chaya_005 appears to be a broader reconnaissance campaign testing multiple vendor vulnerabilities rather than focusing on a single one,” Forescout Research – Vedere Labs said, adding it’s likely the cluster is no longer a “significant threat.”
In light of active exploitation of CVE-2018-4063, Federal Civilian Executive Branch (FCEB) agencies are advised to update their devices to a supported version or discontinue the use of the product by January 2, 2026, since it has reached end-of-support status.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Related news
March episode “In the Trend of VM” (#13): vulnerabilities of Microsoft, PAN-OS, СommuniGate and who should patch hosts with deployed application. I’m posting the translated video with a big delay, but it’s better than never. 😉 📹 Video on YouTube and LinkedIn🗞 Post on Habr (rus)🗒 Digest on the PT website Content: 🔻 00:00 Greetings […]
Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android…
About Authentication Bypass – PAN-OS (CVE-2025-0108) vulnerability. PAN-OS is the operating system used in all Palo Alto Network NGFWs. This vulnerability allows an unauthenticated attacker to gain access to the PAN-OS management web interface. The attacker can then “invoke certain PHP scripts”, compromising the integrity and confidentiality of PAN-OS. 😏 🔹 The vendor bulletin was […]
About Authentication Bypass – PAN-OS (CVE-2025-0108) vulnerability. PAN-OS is the operating system used in all Palo Alto Network NGFWs. This vulnerability allows an unauthenticated attacker to gain access to the PAN-OS management web interface. The attacker can then “invoke certain PHP scripts”, compromising the integrity and confidentiality of PAN-OS. 😏 🔹 The vendor bulletin was […]
The authentication bypass vulnerability in the OS for the company's firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.
The authentication bypass vulnerability in the OS for the company's firewall devices is under increasing attack and being chained with other bugs, making it imperative for organizations to mitigate the issue ASAP.
Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.
Critical security vulnerabilities have been found in Moxa cellular routers and network security appliances. Learn about CVE-2024-9138 &…
New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues. 😉🎁 📹 Video on YouTube, LinkedIn🗞 Post on Habr (rus)🗒 Digest on the PT website Content: 🔻 00:29 Spoofing – Windows […]
New episode “In The Trend of VM” (#10): 8 trending vulnerabilities of November, zero budget VM and who should look for patches. The competition for the best question on the topic of VM continues. 😉🎁 📹 Video on YouTube, LinkedIn🗞 Post on Habr (rus)🗒 Digest on the PT website Content: 🔻 00:29 Spoofing – Windows […]
SUMMARY: VulnCheck has discovered a critical new vulnerability (CVE-2024-12856) affecting Four-Faith industrial routers (F3x24 and F3x36), with evidence…
About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in script. The need for authentication and admin access could limit this vulnerability’s impact, but here we […]
About Elevation of Privilege – PAN-OS (CVE-2024-9474) vulnerability. An attacker with PAN-OS administrator access to the management web interface can perform actions on the Palo Alto device with root privileges. Linux commands can be injected via unvalidated input in script. The need for authentication and admin access could limit this vulnerability’s impact, but here we […]
About Authentication Bypass – PAN-OS (CVE-2024-0012) vulnerability. An unauthenticated attacker with network access to the Palo Alto device web management interface could gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated vulnerabilities. Firewalls of the PA, VM, CN series and the Panorama management platform are vulnerable. The vendor […]
The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012…
The Shadowserver Foundation reports over 2,000 Palo Alto Networks firewalls have been hacked via two zero-day vulnerabilities: CVE-2024-0012…
The security vendor's Expedition firewall appliance's PAN-OS interface tool has racked up four critical security vulnerabilities under active attack in November, leading tit to advise customers to update immediately or and take them off the Internet.
Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.