Key Takeaways
- The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity flaw, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild.
- The vulnerability affects Sierra Wireless AirLink ALEOS routers and could allow remote code execution through a malicious HTTP request.
- The flaw was first reported in 2018 and has been exploited by threat actors, including a previously undocumented threat cluster named Chaya_005.
- Federal Civilian Executive Branch (FCEB) agencies are advised to update their devices to a supported version or discontinue use by January 2, 2026.
- Industrial routers are a common target for cyber attacks, with threat actors attempting to deliver malware and exploit vulnerabilities.
Introduction to the Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a high-severity flaw, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog. This vulnerability affects Sierra Wireless AirLink ALEOS routers and has been exploited in the wild. The flaw is an unrestricted file upload vulnerability that could allow remote code execution through a malicious HTTP request. This means that an attacker could upload a malicious file to the router, which could then be executed, potentially allowing the attacker to gain control of the device.
Details of the Vulnerability
The vulnerability, CVE-2018-4063, was first reported in 2018 by Cisco Talos, who described it as an exploitable remote code execution vulnerability in the ACEManager "upload.cgi" function of Sierra Wireless AirLink ES450 firmware version 4.9.3. The flaw exists in the file upload capability of templates within the AirLink 450, and there are no restrictions in place to protect the files that are currently on the device. This means that an attacker could upload a file with the same name as an existing file on the device, potentially allowing them to execute code with elevated privileges. The fact that ACEManager runs as root further compounds the issue, as any shell script or executable uploaded to the device would also run with elevated privileges.
Exploitation of the Vulnerability
The addition of CVE-2018-4063 to the KEV catalog comes after a honeypot analysis conducted by Forescout revealed that industrial routers are the most attacked devices in operational technology (OT) environments. Threat actors have been attempting to deliver botnet and cryptocurrency miner malware families like RondoDox, Redtail, and ShadowV2 by exploiting various flaws, including CVE-2018-4063. Additionally, a previously undocumented threat cluster named Chaya_005 was found to have weaponized CVE-2018-4063 in early January 2024 to upload a malicious payload. However, it is believed that this threat cluster is no longer a significant threat.
Recommendations and Next Steps
In light of the active exploitation of CVE-2018-4063, Federal Civilian Executive Branch (FCEB) agencies are advised to update their devices to a supported version or discontinue the use of the product by January 2, 2026, since it has reached end-of-support status. This is a critical step in preventing further exploitation of the vulnerability and protecting against potential cyber attacks. It is also important for organizations to be aware of the risks associated with industrial routers and to take steps to secure these devices, such as implementing robust security measures and regularly updating software and firmware.
Conclusion and Future Implications
The addition of CVE-2018-4063 to the KEV catalog highlights the importance of staying vigilant and proactive in the face of evolving cyber threats. As industrial routers continue to be a common target for cyber attacks, it is essential for organizations to prioritize the security of these devices and take steps to prevent exploitation. By staying informed about potential vulnerabilities and taking prompt action to address them, organizations can help protect themselves against cyber threats and prevent potential attacks. The case of CVE-2018-4063 serves as a reminder of the importance of ongoing cybersecurity efforts and the need for continuous monitoring and updating of devices to prevent exploitation.