Which SIEM platforms have a CVE-2018-4063 detection rule?

df00tech provides CVE-2018-4063 (Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the CVE-2018-4063 detection?

The CVE-2018-4063 detection is rated critical severity with medium confidence.

What are common false positives for CVE-2018-4063?

Common false positives for CVE-2018-4063 include: Legitimate firmware upgrades performed by authorized network administrators via ACEmanager; Authorized configuration file uploads during scheduled maintenance windows; Security scanning tools probing ALEOS management interfaces as part of authorized vulnerability assessments.

CVE-2018-4063 Elastic Security · Elastic

Detect Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation in Elastic Security

Q: What data sources are required to detect Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation (CVE-2018-4063)?

Detecting Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation requires the following data sources: DeviceNetworkEvents, CommonSecurityLog, W3CIISLog, Syslog.

Detects exploitation of CVE-2018-4063, an unrestricted file upload vulnerability (CWE-434) in Sierra Wireless AirLink ALEOS firmware. Attackers can upload files with dangerous types via the ACEmanager web interface, enabling remote code execution on cellular gateway devices. This vulnerability is listed in CISA KEV and has been exploited in the wild against critical infrastructure.

MITRE ATT&CK

Tactic: Initial Access Execution Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)

eql

sequence by source.ip with maxspan=5m
  [network where destination.port in (9443, 443, 80, 8080)
   and http.request.method == "POST"
   and (
     url.path like "*acemanager*" or
     url.path like "*/upload*" or
     url.path like "*/cgi-bin*" or
     url.path like "*/firmware*"
   )
  ]
  [network where destination.port in (9443, 443, 80, 8080)
   and (
     url.path like "*.php" or
     url.path like "*.asp" or
     url.path like "*.aspx" or
     url.path like "*.jsp" or
     url.path like "*.cgi" or
     url.path like "*.sh" or
     url.path like "*.elf" or
     url.path like "*.py"
   )
  ]

critical severity medium confidence

EQL sequence detecting a two-stage upload pattern: first a POST to ALEOS management endpoints, followed by a request containing a dangerous file extension — consistent with CVE-2018-4063 exploitation.

Data Sources

Network Packet LogsHTTP Access LogsElastic Agent Network Events

Required Tables

logs-network.*logs-endpoint.events.network*filebeat-*

False Positives & Tuning

Authorized firmware update workflows where administrators upload new ALEOS firmware images
Network scanners performing automated discovery against cellular gateway management ports
Legitimate IT automation uploading configuration scripts to ALEOS devices
SNMP or REST API polling tools that generate sequential management-port connections

Other platforms for CVE-2018-4063

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Simulate File Upload to ALEOS ACEmanager Endpoint
Expected signal: HTTP POST to port 9443 with multipart/form-data body containing a .php file extension; network flow from attacker IP to ALEOS management IP
Test 2Upload ELF Binary to ALEOS CGI Directory
Expected signal: POST request to /cgi-bin/upload with Content-Disposition header containing filename ending in .elf; successful HTTP 200 response if device is unpatched
Test 3Enumerate ALEOS ACEmanager Upload Endpoints
Expected signal: Sequential GET requests from a single source IP to multiple ALEOS management paths within a short time window; HTTP response codes indicating which paths are accessible

Last updated: 2026-06-19 Research depth: standard

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for CVE-2018-4063 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hubs

TA0001Initial Access TA0002Execution TA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing Application T1059Command and Scripting Interpreter T1021Remote Services

Detect Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2018-4063

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for CVE-2018-4063

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hubs

Related Techniques

Same Tactic: Initial Access

Popular Detections

Get new detections in your inbox