CVE-2018-4063 Sumo Logic CSE · Sumo

Detect Sierra Wireless AirLink ALEOS Unrestricted File Upload Exploitation in Sumo Logic CSE

Detects exploitation of CVE-2018-4063, an unrestricted file upload vulnerability (CWE-434) in Sierra Wireless AirLink ALEOS firmware. Attackers can upload files with dangerous types via the ACEmanager web interface, enabling remote code execution on cellular gateway devices. This vulnerability is listed in CISA KEV and has been exploited in the wild against critical infrastructure.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=network/proxy OR _sourceCategory=network/firewall OR _sourceCategory=web/access
| parse "method=*" as http_method nodrop
| parse "url=*" as request_url nodrop
| parse "src_ip=*" as source_ip nodrop
| parse "dest_ip=*" as dest_ip nodrop
| parse "dest_port=*" as dest_port nodrop
| where dest_port in ("9443", "443", "80", "8080")
| where http_method = "POST"
| where request_url matches "*acemanager*"
  OR request_url matches "*/upload*"
  OR request_url matches "*/cgi-bin*"
  OR request_url matches "*/firmware*"
| where request_url matches "*.php"
  OR request_url matches "*.asp"
  OR request_url matches "*.aspx"
  OR request_url matches "*.jsp"
  OR request_url matches "*.cgi"
  OR request_url matches "*.sh"
  OR request_url matches "*.elf"
  OR request_url matches "*.py"
| withtime _messageTime
| count by source_ip, dest_ip, dest_port, request_url
| sort by _count desc
| fields source_ip, dest_ip, dest_port, request_url, _count
critical severity medium confidence

Sumo Logic query identifying POST requests with dangerous file extensions targeting Sierra Wireless AirLink ALEOS ACEmanager upload endpoints across proxy, firewall, and web access log sources.

Data Sources

Proxy LogsFirewall LogsWeb Access Logs

Required Tables

network/proxynetwork/firewallweb/access

False Positives & Tuning

  • Authorized ALEOS firmware update processes conducted by network operations teams
  • Legitimate configuration management scripts uploading files to cellular gateways
  • IT automation frameworks performing scheduled ALEOS device provisioning tasks
  • Security team members conducting authorized vulnerability verification on test ALEOS units

Other platforms for CVE-2018-4063

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate File Upload to ALEOS ACEmanager Endpoint

    Expected signal: HTTP POST to port 9443 with multipart/form-data body containing a .php file extension; network flow from attacker IP to ALEOS management IP

  2. Test 2Upload ELF Binary to ALEOS CGI Directory

    Expected signal: POST request to /cgi-bin/upload with Content-Disposition header containing filename ending in .elf; successful HTTP 200 response if device is unpatched

  3. Test 3Enumerate ALEOS ACEmanager Upload Endpoints

    Expected signal: Sequential GET requests from a single source IP to multiple ALEOS management paths within a short time window; HTTP response codes indicating which paths are accessible

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2018-4063 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1021Remote Services

Same Tactic: Initial Access

Popular Detections