CISA Adds Actively Exploited Sierra Wireless Router Flaw to KEV Catalog

First reported

13.12.2025 14:33

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw (CVE-2018-4063) in Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation. The flaw, an unrestricted file upload vulnerability, allows remote code execution via malicious HTTP requests. The vulnerability, disclosed in 2019, affects the ACEManager 'upload.cgi' function in firmware version 4.9.3. It enables attackers to upload executable files with elevated privileges, as ACEManager runs as root. Forescout's honeypot analysis revealed that industrial routers are frequently targeted in OT environments, with threat actors exploiting multiple vulnerabilities to deliver botnet and cryptocurrency miner malware. A previously undocumented threat cluster, Chaya_005, weaponized CVE-2018-4063 in early 2024 but has since been deemed less significant.

Timeline

13.12.2025 14:33 1 articles · 13h ago

CISA Adds Actively Exploited Sierra Wireless Router Flaw to KEV Catalog
CISA added CVE-2018-4063 to its KEV catalog due to active exploitation. The flaw, an unrestricted file upload vulnerability, allows remote code execution. Forescout's analysis revealed industrial routers are frequently targeted, with threat actors exploiting multiple vulnerabilities to deliver malware. The threat cluster Chaya_005 weaponized the flaw in early 2024 but is no longer considered significant.
Show sources

CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks — thehackernews.com — 13.12.2025 14:33
Open in new tab

Information Snippets

CVE-2018-4063 is an unrestricted file upload vulnerability in Sierra Wireless AirLink ALEOS routers with a CVSS score of 8.8/9.9.
First reported: 13.12.2025 14:33

1 source, 1 article
Show sources
- CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks — thehackernews.com — 13.12.2025 14:33
The flaw allows remote code execution by uploading malicious files via HTTP requests.
First reported: 13.12.2025 14:33

1 source, 1 article
Show sources
- CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks — thehackernews.com — 13.12.2025 14:33
ACEManager runs as root, allowing uploaded files to execute with elevated privileges.
First reported: 13.12.2025 14:33

1 source, 1 article
Show sources
- CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks — thehackernews.com — 13.12.2025 14:33
Forescout's honeypot analysis identified industrial routers as the most attacked devices in OT environments.
First reported: 13.12.2025 14:33

1 source, 1 article
Show sources
- CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks — thehackernews.com — 13.12.2025 14:33
Threat actors exploited multiple vulnerabilities to deliver botnet and cryptocurrency miner malware.
First reported: 13.12.2025 14:33

1 source, 1 article
Show sources
- CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks — thehackernews.com — 13.12.2025 14:33
The threat cluster Chaya_005 weaponized CVE-2018-4063 in early 2024 but is no longer considered a significant threat.
First reported: 13.12.2025 14:33

1 source, 1 article
Show sources
- CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks — thehackernews.com — 13.12.2025 14:33
FCEB agencies are advised to update devices or discontinue use by January 2, 2026, due to end-of-support status.
First reported: 13.12.2025 14:33

1 source, 1 article
Show sources
- CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks — thehackernews.com — 13.12.2025 14:33