Cyber Resilience

CVE-2018-4063

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 06 May 2019

Published
06 May 2019
Modified
15 December 2025
KEV Added
12 December 2025
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0218 84.7th percentile
Risk Priority 39 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-4063 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Sierrawireless Aleos. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 15.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).

Deeper analysis

The vulnerability is an unrestricted file upload flaw, tracked as CVE-2018-4063 and assigned CWE-434, that affects the upload.cgi component of Sierra Wireless AirLink ES450 firmware version 4.9.3. A specially crafted HTTP request can cause executable code to be written to a location that is both routable and directly executable by the embedded web server, resulting in remote code execution.

An attacker who can supply valid credentials may send an authenticated HTTP request to the device and thereby upload and execute arbitrary code. The flaw carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low complexity, and the ability to impact confidentiality, integrity, and availability without user interaction.

Public advisories and proof-of-concept material have been published by Talos (TALOS-2018-0748) and ICS-CERT (ICSA-19-122-03), along with exploit code on Packet Storm. No additional mitigation details are provided in the available references.

EU & UK References

Vulnerability details

An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker…

more

can make an authenticated HTTP request to trigger this vulnerability.

CWE(s)
KEV Date Added
12 December 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

sierrawireless
aleos
≤ 4.4.9 · ≤ 4.11.0 · ≤ 4.9.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of uploaded files in upload.cgi to reject executable content before it is written to a routable web-server path.

preventdetect

Requires malicious-code scanning and blocking of the specially crafted executable uploaded via the authenticated HTTP request.

prevent

Enforces least functionality by disabling execution of user-supplied files in the web-server directories used by upload.cgi.

References