Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation
Detects exploitation of CVE-2018-4063, an unrestricted file upload vulnerability (CWE-434) in Sierra Wireless AirLink ALEOS firmware. Attackers can upload files with dangerous types via the ACEmanager web interface, enabling remote code execution on cellular gateway devices. This vulnerability is listed in CISA KEV and has been exploited in the wild against critical infrastructure.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Sierra Wireless
- Product
- AirLink ALEOS
Weakness (CWE)
Timeline
- Disclosed
- December 12, 2025
References & Proof of Concept
- https://www.cisa.gov/news-events/ics-advisories/icsa-19-122-03
- https://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---swi-psa-2019-003
- https://source.sierrawireless.com/resources/airlink/hardware_reference_docs/airlink_es450_eol
- https://nvd.nist.gov/vuln/detail/CVE-2018-4063
CVSS
What is CVE-2018-4063 Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation?
Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation (CVE-2018-4063) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation, covering the data sources and telemetry it touches: DeviceNetworkEvents, CommonSecurityLog, W3CIISLog, Syslog. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let SierraWirelessPorts = dynamic([9443, 443, 80, 8080]);
let DangerousExtensions = dynamic(['.php', '.asp', '.aspx', '.jsp', '.cgi', '.sh', '.py', '.pl', '.exe', '.elf']);
let timeWindow = 1h;
union
(
DeviceNetworkEvents
| where TimeGenerated > ago(timeWindow)
| where RemotePort in (SierraWirelessPorts)
| where InitiatingProcessCommandLine has_any ('curl', 'wget', 'python', 'upload')
| where RemoteUrl has_any ('acemanager', '/upload', '/cgi-bin', '/firmware')
| project TimeGenerated, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessCommandLine, ActionType
),
(
CommonSecurityLog
| where TimeGenerated > ago(timeWindow)
| where DeviceVendor =~ "Sierra Wireless" or DeviceProduct =~ "ALEOS"
| where Activity has_any ('upload', 'POST', 'file')
| project TimeGenerated, DeviceAddress, SourceIP, DestinationIP, Activity, AdditionalExtensions
),
(
W3CIISLog
| where TimeGenerated > ago(timeWindow)
| where csMethod == "POST"
| where csUriStem has_any ('/acemanager', '/upload', '/cgi-bin')
| extend FileExt = extract(@'(\.[a-zA-Z0-9]+)$', 1, csUriQuery)
| where FileExt in (DangerousExtensions)
| project TimeGenerated, cIP, csUriStem, csUriQuery, FileExt, scStatus
)
| extend AlertSeverity = "High"
| extend CVE = "CVE-2018-4063"
| order by TimeGenerated descDetects HTTP POST requests to Sierra Wireless AirLink ALEOS ACEmanager endpoints with dangerous file extensions, network connections to known ALEOS management ports with upload activity, and syslog events from Sierra Wireless devices indicating file upload operations.
Data Sources
Required Tables
False Positives
- Legitimate firmware upgrades performed by authorized network administrators via ACEmanager
- Authorized configuration file uploads during scheduled maintenance windows
- Security scanning tools probing ALEOS management interfaces as part of authorized vulnerability assessments
- Network monitoring solutions polling ALEOS device status via management APIs
Sigma rule & cross-platform mapping
The detection logic for Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation (CVE-2018-4063) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2018-4063
References (4)
- https://www.cisa.gov/news-events/ics-advisories/icsa-19-122-03
- https://source.sierrawireless.com/resources/airlink/software_reference_docs/technical-bulletin/sierra-wireless-technical-bulletin---swi-psa-2019-003
- https://source.sierrawireless.com/resources/airlink/hardware_reference_docs/airlink_es450_eol
- https://nvd.nist.gov/vuln/detail/CVE-2018-4063
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate File Upload to ALEOS ACEmanager Endpoint
Expected signal: HTTP POST to port 9443 with multipart/form-data body containing a .php file extension; network flow from attacker IP to ALEOS management IP
- Test 2Upload ELF Binary to ALEOS CGI Directory
Expected signal: POST request to /cgi-bin/upload with Content-Disposition header containing filename ending in .elf; successful HTTP 200 response if device is unpatched
- Test 3Enumerate ALEOS ACEmanager Upload Endpoints
Expected signal: Sequential GET requests from a single source IP to multiple ALEOS management paths within a short time window; HTTP response codes indicating which paths are accessible
Unlock Pro Content
Get the full detection package for CVE-2018-4063 including response playbook, investigation guide, and atomic red team tests.