HIGH🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2018-4063

CVSS 8.8v3.1pub. 2019-05-06upd. 2025-12-15

An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Sierrawireless Airlink Es440

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Es450

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Gx400

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Gx440

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Gx450

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Ls300

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Lx40

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Lx60

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Mp70

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Mp70e

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Rv50

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Airlink Rv50x

    HW
    Sierrawireless
    wszystkie wersje
  • Sierrawireless Aleos

    OS
    Sierrawireless
    < 4.9.4< 4.4.9< 4.11.0

CISA KEV — detailsi

Vendori
Sierra Wireless
Producti
AirLink ALEOS
Added to KEVi
December 12, 2025
Remediation deadline (US Federal)i
January 2, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

Sierra Wireless AirLink ALEOS contains an unrestricted upload of file with dangerous type vulnerability. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 2 stycznia 2026
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2019-11851CRITICAL9.8ten sam produkt

The ACENet service in Sierra Wireless ALEOS before 4.4.9, 4.5.x through 4.9.x before 4.9.5, and 4.10.x through...

CVE-2019-11857CRITICAL9.1ten sam produkt

Lack of input sanitization in AceManager of ALEOS before 4.12.0, 4.9.5 and 4.4.9 allows disclosure of sensitiv...

CVE-2018-10251CRITICAL9.8ten sam produkt

A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.7 a...

CVE-2023-38321HIGH7.5ten sam produkt

OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other products, allows remote attackers to caus...

CVE-2023-40459HIGH7.5ten sam produkt

The ACEManager component of ALEOS 4.16 and earlier does not adequately perform input sanitization dur...