CVE-2018-4063
Published: 06 May 2019
Summary
CVE-2018-4063 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Sierrawireless Aleos. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 15.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
The vulnerability is an unrestricted file upload flaw, tracked as CVE-2018-4063 and assigned CWE-434, that affects the upload.cgi component of Sierra Wireless AirLink ES450 firmware version 4.9.3. A specially crafted HTTP request can cause executable code to be written to a location that is both routable and directly executable by the embedded web server, resulting in remote code execution.
An attacker who can supply valid credentials may send an authenticated HTTP request to the device and thereby upload and execute arbitrary code. The flaw carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low complexity, and the ability to impact confidentiality, integrity, and availability without user interaction.
Public advisories and proof-of-concept material have been published by Talos (TALOS-2018-0748) and ICS-CERT (ICSA-19-122-03), along with exploit code on Packet Storm. No additional mitigation details are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2018-15849
Vulnerability details
An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker…
more
can make an authenticated HTTP request to trigger this vulnerability.
- CWE(s)
- KEV Date Added
- 12 December 2025
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of uploaded files in upload.cgi to reject executable content before it is written to a routable web-server path.
Requires malicious-code scanning and blocking of the specially crafted executable uploaded via the authenticated HTTP request.
Enforces least functionality by disabling execution of user-supplied files in the web-server directories used by upload.cgi.