CyberSec.Space Logo
返回 CVE 浏览器

CVE-2018-4063

Known Exploited (CISA KEV)HIGH
8.8
CVSS Severity Score
EPSS Score95.0310%
EPSS Percentile92.21th
Published2019年5月6日
Last Modified2025年12月15日

Vulnerability Description

An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Affected Platforms (CPE)

💻
Sierrawireless

Aleos

< 4.4.9
💻
Sierrawireless

Aleos

< 4.11.0
💻
Sierrawireless

Aleos

< 4.9.4

References & Advisories

🔗 http://packetstormsecurity.com/files/152648/Sierra-Wireless-AirLink-ES450-ACEManager-upload.cgi-Remote-Code-Execution.html
🔗 http://www.securityfocus.com/bid/108147
🔗 https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03
🔗 https://talosintelligence.com/vulnerability_reports/TALOS-2018-0748
🔗 http://packetstormsecurity.com/files/152648/Sierra-Wireless-AirLink-ES450-ACEManager-upload.cgi-Remote-Code-Execution.html
🔗 http://www.securityfocus.com/bid/108147
🔗 https://ics-cert.us-cert.gov/advisories/ICSA-19-122-03
🔗 https://talosintelligence.com/vulnerability_reports/TALOS-2018-0748

相关漏洞威胁

CVE-2015-289710.0

Sierra Wireless ALEOS before 4.4.2 on AirLink ES, GX, and LS devices has hardcoded root accounts, which makes it easier for remote...

CVE-2016-50659.8

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Embedded_Ace_Set_Task.cgi command injection.

CVE-2019-118519.8

The ACENet service in Sierra Wireless ALEOS before 4.4.9, 4.5.x through 4.9.x before 4.9.5, and 4.10.x through 4.13.x before 4.14....

CVE-2016-50669.8

Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 have weak passwords for admin, rauser, sconsole, and user.