Active Exploitation of CVE-2018-4063 in Sierra Wireless ES450 Routers

Aegiron 7 mins0

CVE ID: CVE-2018-4063
Severity: High (CVSS ~9.0)
Issue Type: Authenticated remote code execution through malicious file upload
Exploitation Status: Actively exploited; added to CISA’s Known Exploited Vulnerabilities list in December 2025

What This Vulnerability Is About

CVE-2018-4063 is a serious flaw affecting Sierra Wireless AirLink ES450 routers running ALEOS firmware version 4.9.3. The issue sits in the router’s web-based management interface, known as ACEManager.

In simple terms, once an attacker logs into the router’s admin panel, they can upload a file that shouldn’t be allowed and get the router to execute it. That means the attacker can run their own commands directly on the device, turning a trusted network router into something they fully control.

How the Attack Works in Practice

The ACEManager interface includes a file upload feature meant for legitimate tasks like configuration or firmware handling. Due to a design flaw, this upload function does not properly limit what kind of files can be uploaded or where those files are placed on the system.

If an attacker gains admin access — often through weak, reused, or stolen credentials — they can do the following:

  • Upload a malicious script or executable using a crafted HTTP request.
  • Place or overwrite a file in a directory that the router’s web server treats as executable.
  • Trigger that file through the web interface, causing it to run with very high privileges (often as root).

At that point, the attacker isn’t limited to normal admin settings anymore. They can execute arbitrary commands on the router itself.

What an Attacker Can Do After Exploitation

Once this vulnerability is exploited, the router is effectively compromised. An attacker can:

  • Modify routing, VPN, firewall, and DNS configurations.
  • Monitor, intercept, or redirect network traffic passing through the device.
  • Install backdoors or malware to maintain long-term access.
  • Use the router as a stepping stone to attack internal systems, OT environments, or cloud resources behind it.

Because the ES450 is commonly deployed at network edges, compromising it often gives attackers visibility and access far beyond the router itself.

Why This Old Bug Is a Current Threat

Although CVE-2018-4063 was disclosed years ago and patched firmware has existed for some time, many devices in the field were never updated.

In industrial, telecom, and critical infrastructure environments, firmware upgrades are often postponed due to uptime requirements, limited maintenance windows, or a general reluctance to change systems that appear to be working. Attackers are well aware of this and actively scan for older AirLink devices still running vulnerable firmware.

Recent confirmed exploitation in real-world attacks is the reason this vulnerability was added to CISA’s Known Exploited Vulnerabilities list and elevated in priority.

Who Faces the Highest Risk

This vulnerability is especially concerning for organizations using ES450 routers in sensitive or remote environments, including:

  • Critical infrastructure operators (energy, utilities, transportation, smart cities).
  • Industrial and OT networks using cellular or remote connectivity.
  • Telecommunications providers using these routers for backhaul or customer premises equipment.
  • Government and public sector organizations supporting field sites or remote offices.

In these scenarios, the router often acts as the main gateway between internal systems and external networks, so a compromise can have wide-ranging consequences.

What Organizations Should Do Now

Identify affected devices
Create an inventory of Sierra Wireless AirLink ES450 (and related ALEOS-based models) and verify which firmware versions are in use.

Patch or replace
Upgrade to the latest supported ALEOS firmware that addresses this vulnerability. If the device is end-of-life or cannot be updated, plan for replacement.

Restrict management access

  • Do not expose the ACEManager web interface directly to the internet.
  • Place it behind a VPN or dedicated admin network.
  • Enforce strong, unique administrative credentials.

Check for signs of compromise

  • Look for unexpected uploaded files, scripts, or CGI content.
  • Review logs for suspicious admin logins or unexplained configuration changes.
  • Monitor for unusual outbound traffic originating from the router.

Limit blast radius
Treat these routers as high-risk edge devices and restrict how much of the internal network they can access.

Final Thoughts

CVE-2018-4063 is a high-impact vulnerability in widely used industrial and telecom routers. It allows anyone who can log into the web interface to upload malicious code and take complete control of the device. That control can then be used to spy on traffic, disrupt operations, or attack other systems on the network.

Because this flaw is now being actively exploited, organizations still running vulnerable ES450 firmware should treat fixing, isolating, or replacing these routers as an urgent security task — not routine maintenance.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.