Dec 13, 2025Ravie LakshmananNetwork Safety / Vulnerability
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Friday added a high-severity flaw impacting Sierra Wi-fi AirLink ALEOS routers to its Recognized Exploited Vulnerabilities (KEV) catalog, following reviews of energetic exploitation within the wild.
CVE-2018-4063 (CVSS rating: 8.8/9.9) refers to an unrestricted file add vulnerability that might be exploited to realize distant code execution by the use of a malicious HTTP request.
“A specifically crafted HTTP request can add a file, leading to executable code being uploaded, and routable, to the webserver,” the company stated. “An attacker could make an authenticated HTTP request to set off this vulnerability.”
Particulars of the six-year-old flaw had been publicly shared by Cisco Talos in April 2019, describing it as an exploitable distant code execution vulnerability within the ACEManager “add.cgi” operate of Sierra Wi-fi AirLink ES450 firmware model 4.9.3. Talos reported the flaw to the Canadian firm in December 2018.
“This vulnerability exists within the file add functionality of templates inside the AirLink 450,” the corporate stated. “When importing template recordsdata, you possibly can specify the title of the file that you’re importing.”
“There are not any restrictions in place that shield the recordsdata which can be presently on the machine, used for regular operation. If a file is uploaded with the identical title of the file that already exists within the listing, then we inherit the permissions of that file.”
Talos famous that among the recordsdata that exist within the listing (e.g., “fw_upload_init.cgi” or “fw_status.cgi”) have executable permissions on the machine, that means an attacker can ship HTTP requests to the “/cgi-bin/add.cgi” endpoint to add a file with the identical title to realize code execution.
That is compounded by the truth that ACEManager runs as root, thereby inflicting any shell script or executable uploaded to the machine to additionally run with elevated privileges.
The addition of CVE-2018-4063 to the KEV catalog comes a day after a honeypot evaluation performed by Forescout over a 90-day interval revealed that industrial routers are essentially the most attacked units in operational know-how (OT) environments, with risk actors making an attempt to ship botnet and cryptocurrency miner malware households like RondoDox, Redtail, and ShadowV2 by exploiting the next flaws –
Assaults have additionally been recorded from a beforehand undocumented risk cluster named Chaya_005 that weaponized CVE-2018-4063 in early January 2024 to add an unspecified malicious payload with the title “fw_upload_init.cgi.” No additional profitable exploitation efforts have been detected since then.
“Chaya_005 seems to be a broader reconnaissance marketing campaign testing a number of vendor vulnerabilities somewhat than specializing in a single one,” Forescout Analysis – Vedere Labs stated, including it is probably the cluster is now not a “important risk.”
In mild of energetic exploitation of CVE-2018-4063, Federal Civilian Govt Department (FCEB) companies are suggested to replace their units to a supported model or discontinue using the product by January 2, 2026, because it has reached end-of-support standing.
