What happened

CISA added CVE-2018-4063 to the Known Exploited Vulnerabilities (KEV) Catalog on 2025-12-12, signaling confirmed exploitation in the wild CISA KEV. The flaw affects Sierra Wireless AirLink ALEOS and is classified as an unrestricted upload of file with dangerous type (CWE-434) NVD entry. Per CISA’s entry, a specially crafted, authenticated HTTP request can upload a file, resulting in executable code being placed and routable to the embedded web server CISA KEV. CISA also notes the impacted product could be end-of-life/end-of-service (EoL/EoS) and recommends discontinuation if mitigations are unavailable CISA KEV. CISA’s ICS advisory for Sierra Wireless AirLink devices provides additional vendor/mitigation context for operators CISA ICSA-19-122-03.

Why it matters

Inclusion in the KEV catalog means active exploitation, which elevates this from a theoretical risk to an operational concern for any environment running ALEOS-managed AirLink gateways CISA KEV. Unrestricted file upload (CWE-434) flaws routinely enable placement of web-executable payloads that can be reached and invoked via the device’s HTTP server, expanding attacker control paths on embedded systems NVD entry. The requirement for an authenticated request does not neutralize the threat when credentials are exposed or management interfaces are reachable from untrusted networks, a pattern CISA routinely flags in ICS/OT contexts through its advisories CISA ICSA-19-122-03. If affected units are EoL/EoS, patch or hardening options may be limited; CISA’s guidance is to discontinue use when mitigations are not available CISA KEV.

Technical detail

CVE-2018-4063 is a CWE-434 class vulnerability in Sierra Wireless AirLink ALEOS that allows a user with valid credentials to upload a file via a crafted HTTP request to the device’s web server context NVD entry. The core exposure is that the upload mechanism does not sufficiently restrict file type or placement, enabling an attacker to store executable content that becomes routable through the embedded web application paths CISA KEV. Because the vector is HTTP(S) and authenticated, exploitation typically requires network access to the management interface plus valid session or credentials, aligning with the “authenticated request” precondition in the KEV description CISA KEV. CISA’s industrial control systems advisory series covering Sierra Wireless AirLink devices documents mitigations and operational controls for similar web-admin exposures on ICS gateways, which are applicable to limiting reachability and upload abuse CISA ICSA-19-122-03. The KEV entry sets a remediation due date of 2026-01-02 and directs organizations to apply vendor mitigations, follow applicable federal guidance, or discontinue use where fixes are unavailable CISA KEV.

Defense

• Prioritize identification of all Sierra Wireless AirLink devices running ALEOS and map exposure of their web management interfaces; treat any internet-reachable interface as high risk due to confirmed exploitation in KEV CISA KEV.
• If the affected product is EoL/EoS or mitigations are unavailable, plan for device retirement and replacement per CISA guidance to discontinue use CISA KEV.
• Where continued operation is required, follow CISA’s ICS advisory mitigations: restrict management interfaces to trusted networks, implement network segmentation, and monitor for anomalous web-admin activity CISA ICSA-19-122-03.
• Enforce strong, unique credentials for ALEOS administration and revoke shared or legacy accounts to constrain the “authenticated request” prerequisite cited in the CVE description NVD entry.
• Inspect HTTP logs and reverse-proxy telemetry for unexpected file-upload POSTs and new executable artifacts served by the device’s web paths, consistent with unrestricted upload abuse NVD entry.
• Track the KEV due date (2026-01-02) and document remediation status to meet mandated timelines where applicable CISA KEV.

Lyrie Verdict

This is a machine-speed exploitation problem on embedded gateways: a single authenticated upload endpoint across a fleet becomes a rapid pivot if credentials or sessions are harvested at scale CISA KEV. Lyrie’s autonomous detectors lock onto the behavior that matters, not vendor strings: authenticated POSTs delivering executable MIME or script content to ALEOS web paths, immediate routable access to new files, and follow-on callbacks from the device web server—detected and acted on without waiting for human triage NVD entry. For EoL/EoS devices that can’t be fixed, we force the asymmetry back: isolate interfaces automatically, throttle or block upload transactions in-line, and alert on any post-upload execution attempt at machine speed, neutralizing the KEV-listed abuse pattern before persistence is established CISA ICSA-19-122-03.