CVE-2018-4063 CrowdStrike LogScale · LogScale

Detect Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation in CrowdStrike LogScale

Detects exploitation of CVE-2018-4063, an unrestricted file upload vulnerability (CWE-434) in Sierra Wireless AirLink ALEOS firmware. Attackers can upload files with dangerous types via the ACEmanager web interface, enabling remote code execution on cellular gateway devices. This vulnerability is listed in CISA KEV and has been exploited in the wild against critical infrastructure.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=NetworkConnectIP6 OR #event_simpleName=HttpRequest
| RemotePort in (9443, 443, 80, 8080)
| HttpMethod = "POST"
| UrlPath = /acemanager|^\/upload|\/cgi-bin|\/firmware/i
| UrlPath = /\.(php|asp|aspx|jsp|cgi|sh|elf|py)$/i
| groupBy([RemoteAddressIP4, RemotePort, UrlPath, HttpMethod, aid, ComputerName], function=([count(aid, as=upload_attempts), min(timestamp, as=first_seen), max(timestamp, as=last_seen)]))
| eval cve = "CVE-2018-4063"
| eval product = "Sierra Wireless AirLink ALEOS"
| eval tactic = "Initial Access"
| sort(last_seen, order=desc)
critical severity medium confidence

CrowdStrike Falcon LogScale CQL query detecting POST requests with dangerous file extensions to Sierra Wireless ALEOS ACEmanager management paths, grouped by source and destination for triage.

Data Sources

CrowdStrike Falcon Network TelemetryFalcon HttpRequest EventsFalcon NetworkConnect Events

Required Tables

NetworkConnectIP4NetworkConnectIP6HttpRequest

False Positives & Tuning

  • Legitimate network administrator firmware upgrades performed via ACEmanager HTTPS portal
  • Authorized ALEOS device configuration restoration involving file uploads
  • Managed security provider remote maintenance sessions uploading scripts to ALEOS gateways
  • Automated device lifecycle management tools performing ALEOS provisioning operations

Other platforms for CVE-2018-4063

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate File Upload to ALEOS ACEmanager Endpoint

    Expected signal: HTTP POST to port 9443 with multipart/form-data body containing a .php file extension; network flow from attacker IP to ALEOS management IP

  2. Test 2Upload ELF Binary to ALEOS CGI Directory

    Expected signal: POST request to /cgi-bin/upload with Content-Disposition header containing filename ending in .elf; successful HTTP 200 response if device is unpatched

  3. Test 3Enumerate ALEOS ACEmanager Upload Endpoints

    Expected signal: Sequential GET requests from a single source IP to multiple ALEOS management paths within a short time window; HTTP response codes indicating which paths are accessible

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2018-4063 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1021Remote Services

Same Tactic: Initial Access

Popular Detections