The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently included a high-severity vulnerability affecting Sierra Wireless AirLink ALEOS routers in its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation in the wild.
The vulnerability, known as CVE-2018-4063, allows for unrestricted file upload, potentially leading to remote code execution through a malicious HTTP request.
Cisco Talos publicly disclosed details of this six-year-old flaw, describing it as an exploitable remote code execution vulnerability in the ACEManager function of Sierra Wireless AirLink ES450 firmware version 4.9.3.
The flaw arises from the lack of file upload restrictions within the AirLink 450, enabling an attacker to upload executable code with elevated privileges.
Following a honeypot analysis by Forescout, it was revealed that industrial routers are prime targets in operational technology environments, with threat actors exploiting vulnerabilities to deploy malware families like RondoDox and Redtail.
Additionally, a threat cluster named Chaya_005 was found to have leveraged CVE-2018-4063 to upload malicious payloads, indicating a broader reconnaissance campaign rather than a targeted attack.
As a precaution, Federal Civilian Executive Branch agencies are urged to update their devices or discontinue product use by January 2, 2026, due to the end-of-support status.
