CISA reports active expploit of Sierra Wireless Router vulnerability

CISA is reporting active exploitation of Sierra Wireless AirLink ALEOS routers. 

The vulnerability is tracked as CVE-2018-4063 (CVSS score 8.8/9.9), an unrestricted file upload flaw that enables remote code execution through specially crafted HTTP requests. Attackers can upload files with names matching existing executable files such as fw_upload_init.cgi. Because the application lacks proper restrictions on file overwrites, uploaded payloads inherit the original file's execution permissions. Since the ACEManager component operates with root privileges, any uploaded shell script or executable is executed with full administrative access, providing threat actors with complete control over the compromised device. 

The vulnerability affects Sierra Wireless AirLink ES450 firmware version 4.9.3 and related products. Active exploitation of this vulnerability has been confirmed through multiple attack campaigns:

• RondoDox botnet malware
• Redtail cryptocurrency miners
• ShadowV2 malware

The affected Sierra Wireless AirLink products have reached End-of-Life and End-of-Service status, so the vendor is no longer releasing security patches or firmware updates for these legacy devices. CISA has explicitly advised against continued use of these products and strongly recommends that organizations discontinue their deployment entirely. Federal Civilian Executive Branch agencies operating under Binding Operational Directive BOD 22-01 have been given a mandatory deadline of January 2, 2026 to either update affected devices to supported versions or completely remove them from their infrastructure. 

Organizations still utilizing vulnerable Sierra Wireless AirLink devices should inventory all deployed routers, isolate the ACEManager web interface from untrusted networks and restrict management interfaces to dedicated VLANs with VPN or Private APN access only. Then plan a replacement device.