CISA Adds Actively Exploited Sierra Wireless Router Flaw Enabling RCE Attacks

Sierra Wireless Router Vulnerability Exploited in the Wild

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2018-4063, a high-severity vulnerability in Sierra Wireless AirLink ALEOS routers, to its Known Exploited Vulnerabilities (KEV) catalog on December 13, 2025, following reports of active exploitation. This flaw, with a CVSS score of 8.8/9.9, allows attackers to achieve remote code execution.

Why This Matters

Ideal security models assume timely patching and diligent configuration; however, many organizations operate legacy systems with limited support. This six-year-old vulnerability demonstrates the continued risk posed by unpatched flaws, even with public disclosure in 2019. The potential scale of compromise is significant, particularly in operational technology (OT) environments where industrial routers are increasingly targeted, as evidenced by Forescout’s recent honeypot analysis.

Key Insights

• CVE-2018-4063 (Cisco Talos, 2019): An unrestricted file upload vulnerability in the ACEManager “upload.cgi” function of Sierra Wireless AirLink routers.
• OT Targeting (Forescout, 2025): Industrial routers are the most attacked devices in OT environments, with threat actors deploying malware like RondoDox and ShadowV2.
• Chaya_005 (Forescout, 2025): A threat cluster actively weaponized CVE-2018-4063 in January 2024 to upload malicious payloads.

Practical Applications

• Use Case: OT environments utilizing Sierra Wireless routers for remote management are at risk of compromise and potential disruption of operations.
• Pitfall: Relying on outdated firmware and neglecting vulnerability management can create long-lived attack vectors, even for publicly known flaws.

References:

• https://thehackernews.com/2025/12/cisa-adds-actively-exploited-sierra.html