CISA Adds CVE 2018 4063 to KEV: Urgent AirLink Gateway Patch Plan

CISA has added a high‑risk Sierra Wireless AirLink vulnerability, CVE‑2018‑4063, to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation — a move that forces federal agencies to accelerate remediation under BOD 22‑01 and should prompt immediate action by any organization that still runs vulnerable ALEOS‑based AirLink gateways.

Background​

What CISA announced and why it matters​

CISA’s KEV Catalog is a living, evidence‑driven list of Common Vulnerabilities and Exposures (CVEs) that have been observed being weaponized in the wild. When CISA adds an entry to the KEV, Federal Civilian Executive Branch (FCEB) agencies are required by Binding Operational Directive (BOD) 22‑01 to remediate according to strict timelines; the catalog addition also serves as a practical prioritization signal for the private sector. The agency updates the KEV catalog rapidly when reliable evidence of exploitation exists, and its KEV additions are deliberately operational in tone — intended to convert threat intelligence into action. On or about the December 12, 2025 update cycle, CISA added CVE‑2018‑4063 — an Unrestricted Upload of File with Dangerous Type in Sierra Wireless AirLink ALEOS (ACEManager upload.cgi) — to the KEV Catalog. That CVE was originally disclosed by Cisco Talos in 2019, which published technical analysis and a proof‑of‑concept showing how authenticated file uploads could be turned into root remote code execution. The vulnerability’s technical profile and exploitability make it a classic and persistent risk to deployed gateways and industrial/remote infrastructure devices.

---

Technical overview: CVE‑2018‑4063 explained​

The root cause and attack vector​

CVE‑2018‑4063 is a file‑upload flaw in the ACEManager web component used by several Sierra Wireless AirLink devices. The upload handler permits an attacker who can authenticate to the web interface to specify upload paths and filenames that overwrite existing executable scripts or CGI wrappers. Because the ACEManager processes and runs those files with elevated privileges, an attacker who uploads a crafted wrapper or script can execute arbitrary commands as root on the device. Talos demonstrated an exploit flow that uploads a small shell wrapper and then invokes it through the device’s web path to confirm remote code execution.

Severity and impact metrics​

Public vulnerability records and vendor advisories assign a very high severity to this issue. NVD and Talos list CVSS v3 base scores in the high/critical range (CVSS 3.x values reported around 8.8–9.9 depending on the vector string and scoring source), and CISA’s ICS advisory historically grouped the ALEOS issues with other critical flaws that permit remote code execution and file upload. The practical upshot: an authenticated web‑based upload handler can be converted into root execution, enabling persistence, lateral movement, firmware modification, or device‑level pivoting into local networks.

Affected products and fixed versions​

Sierra Wireless and CISA’s industrial advisory list multiple AirLink models and ALEOS version ranges that were vulnerable historically. Affected models include ES450 and GX450 (ALEOS versions prior to 4.9.4 for those models) and a broader set of LS300, GX400/440, MP70/MP70E, RV50/50X, LX40/60 and others on older ALEOS releases. Sierra Wireless has published iterative ALEOS security advisories and released firmware updates in later ALEOS branches (for example, ALEOS 4.9.4 and later patches for the GX/ES family; more recent ALEOS 4.17.x releases consolidate fixes across multiple models). Organizations must consult vendor product pages and the device management portal to determine exact upgrade paths for each model.

---

Evidence of exploitation and the KEV decision​

What “evidence of active exploitation” means in practice​

CISA’s KEV additions are not theoretical warnings: the catalog is restricted to CVEs with reliable evidence of exploitation. Evidence can include observed telemetry from victims, incident response reports, log artifacts, confirmed abuse in attack campaigns, or third‑party threat intelligence corroboration. The original Talos disclosure included a proof‑of‑concept and technical details; since then the vulnerability has appeared in vulnerability databases and protection advisories, and CISA’s decision to add the CVE to KEV signals that ongoing exploitation was either observed or credibly reported to the agency. That said, public details about specific exploit campaigns or victim lists are often sparse; where necessary, analysts should assume exploitation may be opportunistic and widespread on internet‑exposed device sets.

Why older CVEs like CVE‑2018‑4063 still show up on KEV​

CVE‑2018‑4063 is several years old, but age is not a protection. Legacy appliances, unmanaged deployed fleets, industrial controllers, and embedded routers often remain in service with outdated firmware. CISA’s KEV criteria explicitly allow older CVEs to be added if there is evidence they are being exploited; when exploitable legacy devices are still connected to networks, attackers will and do revisit old defects. The KEV addition is therefore a practical reminder that “old” does not mean “harmless.”

---

Real‑world risk: who should be worried​

Federal exposure​

BOD 22‑01 makes remediation a compliance imperative for FCEB agencies: vulnerabilities with CVE IDs assigned prior to 2021 carry a default remediation window of six months; those assigned from 2021 onward typically must be handled within two weeks from the KEV listing date unless CISA prescribes otherwise. For a pre‑2021 CVE such as CVE‑2018‑4063, agencies will follow the established remediation timelines and reporting requirements — but the KEV tag elevates operational urgency for asset owners across the board.

Operational technology (OT), critical infrastructure, and remote telemetry​

AirLink devices are widely used as LTE/4G/5G gateways for remote telemetry, SCADA out‑of‑band management, point‑of‑sale terminals, and transportation/energy sector endpoints. Compromise of these gateways is particularly dangerous because it enables attackers to intercept telemetry, inject commands to downstream devices, alter firmware, or create persistent footholds in operational networks. For owners of deployed O&M networks, logistics telematics, or distributed IoT infrastructure, the vulnerability represents a high‑impact vector.

Small and medium enterprises​

SMBs that rely on managed gateways, third‑party network integrators, or devices installed and rarely updated are also at risk. Many enterprises treat router firmware like infrastructure plumbing and delay upgrades; attackers exploit those policy gaps. The KEV addition should trigger a rapid inventory and patch priority reassessment for any organization where AirLink devices still appear in inventory.

---

What administrators must do now — prioritized remediation plan​

• Inventory and identify: locate every Sierra Wireless AirLink device (ES‑, GX‑, RV‑, MP‑, LX‑, LS‑ families) on your network and map ALEOS firmware versions.
• Use network management tools, DHCP logs, and vendor device management platforms (AirLink Management Service / AirVantage / ALMS) to enumerate devices.
• Isolate and restrict management access: immediately ensure ACEManager (the web management interface) is not accessible from untrusted networks.
• Remove ACEManager from the WAN, restrict it to management VLANs, apply firewall rules, or enforce VPN/Private APN access.
• Patch or upgrade per vendor guidance: apply the vendor‑provided ALEOS updates that contain the fixes for CVE‑2018‑4063. If vendor patches are not immediately available for a specific model, plan for device replacement or network segmentation.
• Apply compensating controls where patching is delayed:
• Restrict HTTP/HTTPS/ACEManager access to trusted IPs only (ALEOS Trusted IP feature).
• Use VPNs or private APNs to limit exposure.
• Harden credentials and enforce MFA where management support exists.
• Hunt for indicators of compromise (IOC) and review logs:
• Look for unexpected modifications to ACEManager CGI scripts, unexpected POSTs to /cgi‑bin/upload.cgi, unusual reboot patterns, or suspicious file paths under /admin.
• Search firmware integrity checks, device NTP anomalies, or connections to unknown C2 hosts.
• Report and coordinate:
• For federal agencies, follow BOD 22‑01 reporting channels and the Continuous Diagnostics and Mitigation (CDM) dashboard requirements.
• If compromise is suspected, treat devices as potentially breached: isolate, preserve forensic images, and engage incident response.

Follow this sequential plan immediately; the KEV listing makes remediation an operational priority for federal agencies and a strong recommendation for all organizations.

---

Practical mitigations and vendor guidance​

• Apply vendor firmware updates from Sierra Wireless / Semtech: consult the official security advisories and ALEOS release notes to identify the correct patched release for each model. Vendor security pages and product bulletins consolidate the necessary firmware builds and mitigations.
• Disable ACEManager WAN access: ACEManager is the local management interface implicated in the vulnerability; disabling WAN exposure or placing it behind a private management network significantly reduces attack surface.
• Use device management platforms: move to centralized, vendor‑approved management tools (ALMS / AirVantage) that allow controlled, audited upgrades and reduce the need for web UI exposure.
• Enforce least privilege and credential hygiene: ensure unique, strong device passwords, rotate management credentials, and remove default or weak accounts.

---

Detection and hunting: what to look for​

• Web server upload attempts: unusual or unauthenticated POSTs to /cgi‑bin/upload.cgi or other ACEManager endpoints are direct red flags.
• New or altered CGI scripts in administrative directories: an attacker exploiting the upload flaw often overwrites a script file that retains executable bits; file timestamps and file content diffs are telltale signs.
• Unexpected management sessions: logins from unknown IPs, especially on management ports (9191 or other ALEOS ports), warrant immediate investigation.
• Outbound telemetry from gateways: anomalous DNS queries, unexpected VPN tunnels, or connections to uncommon external hosts may indicate compromise.
• Persistence artifacts: evidence of scheduled tasks, altered init scripts, or modified firmware images should be treated as indicators of compromise.

Talos’ published PoC demonstrates the basic exploit sequence and provides concrete patterns you can search for during log triage; use it as a technical reference while aligning to legal and internal incident‑handling procedures.

---

Critical analysis: strengths, risks, and operational implications​

Strengths of the KEV action​

• Clear prioritization: KEV additions convert threat intelligence into operational mandates, making it easier for agencies and security teams to prioritize scarce patching resources.
• Evidence‑based action: KEV’s criteria require evidence of exploitation and a clear remediation path (patch or removal), which reduces noise and focuses attention on real, present threats.
• Pressure to modernize: Adding older but still‑exploitable CVEs forces organizations to address long‑standing asset‑management problems (stale firmware, unsupported devices, weak management practices).

Risks and practical difficulties​

• Patch availability and device lifecycles: many IoT/OT devices have complex upgrade paths or are embedded in vendor stacks; some devices may no longer receive patches, requiring replacement or segmentation. The KEV requirement to “patch or remove” can be operationally difficult for critical‑path infrastructure where firmware upgrades must be certified and tested.
• False sense of coverage: KEV is a prioritized list but not exhaustive; focusing exclusively on KEV vulnerabilities can leave other exploitable flaws unattended. A balanced vulnerability management program must include routine scanning, configuration management, and asset lifecycle controls.
• Limited public attribution: while KEV additions indicate exploitation, public details about campaigns are often limited. This reduces the ability of defenders to match IOCs with known adversary patterns; the absence of attribution can complicate forensic timelines and threat modeling. Where public exploit telemetry is scant, defenders must assume broad risk and hunt accordingly.

Operational impact on federal timelines​

Because CVE‑2018‑4063 predates 2021, BOD 22‑01’s default six‑month remediation window applies unless CISA specifies a shorter due date. Nevertheless, the presence of active exploitation could prompt accelerated deadlines or directed actions. Agencies should treat this as high urgency and report remediation progress per CDM dashboard expectations. Delay or noncompliance exposes mission systems to realistic compromise scenarios.

---

Practical checklist: immediate steps for IT/security teams​

• Run an urgent inventory: identify all AirLink and ALEOS devices and capture firmware versions.
• Block management access from untrusted networks: firewall rules, VPN enforcement, or disabling ACEManager WAN access.
• Apply vendor patches: prioritize devices for staged upgrades; engage suppliers for problematic models.
• Segment and isolate: if patching is delayed, isolate affected devices onto restricted management VLANs.
• Hunt and log: search for POST /cgi‑bin/upload.cgi, new CGI/exec artifacts, and foreign management sessions.
• Report per compliance rules: federal agencies must adhere to BOD 22‑01 reporting; private organizations should document remediation actions for risk and insurance processes.
• Plan device lifecycle remediation: replace end‑of‑life devices that cannot be patched and ensure future device procurement includes firmware support guarantees.

This ordered checklist balances immediate containment with medium‑term remediation and asset lifecycle management.

---

Unverifiable claims and cautious notes​

• Public campaign details are limited: while CISA’s KEV addition signals evidence of exploitation, public reporting does not always include full victim lists, actor attribution, or forensic artifacts for every campaign. Analysts should treat CISA’s KEV action as authoritative evidence of risk but recognize that the external visibility into specific intrusions may remain partial. Where attribution or campaign specifics are unavailable, focus on containment, detection, and eradication.
• Vendor timelines vary by model: exact patched ALEOS builds differ by model and sub‑release; always verify the precise firmware file and upgrade path for each serial number against the vendor’s security advisories and release notes rather than relying on generic version guidance.

---

Conclusion​

CISA’s addition of CVE‑2018‑4063 to the KEV Catalog re‑emphasizes a recurring and stubborn problem in security operations: internet‑exposed management interfaces and unpatched embedded devices remain prime entry points for attackers. The underlying vulnerability — an unrestricted, authenticated file upload in ACEManager that can be weaponized into root remote code execution — is straightforward in principle and disastrous in consequence for affected environments. Talos’ PoC and multiple vendor and advisory records confirm the technical mechanics; CISA’s KEV action converts that technical risk into an operational mandate for federal agencies and a practical call to action for every organization that manages AirLink hardware. Immediate priorities are clear: inventory, restrict ACEManager exposure, apply vendor firmware updates, and hunt for signs of exploitation. For operators of OT and remote infrastructure, where gateways are mission‑critical and difficult to upgrade overnight, the pragmatic combination of network segmentation, management access lockdown, and a documented mitigation/replacement strategy is essential. The KEV listing is an opportunity — and a warning — to treat device firmware and management interfaces with the same discipline applied to server and endpoint patching cycles.

---

---

Source: CISA CISA Adds One Known Exploited Vulnerability to Catalog | CISA