The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity vulnerability affecting Sierra Wireless AirLink routers to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

Tracked as CVE-2018-4063, the flaw allows authenticated attackers to upload arbitrary executable files, resulting in remote code execution (RCE) with root-level privileges.

Although the vulnerability is more than six years old, recent activity shows it remains attractive to threat actors targeting industrial and operational technology (OT) environments.

Sierra Wireless AirLink routers are widely deployed in industrial, transportation, energy, and remote infrastructure networks. These devices often operate in unattended or geographically isolated environments, making them high-value targets for attackers seeking persistence or lateral movement into OT systems.

CISA’s KEV catalog highlights vulnerabilities that are actively exploited and pose significant risk to federal and critical infrastructure organizations.

On Friday, CISA added CVE-2018-4063 to the KEV list following confirmed exploitation activity.

The vulnerability affects the ACEManager web interface in certain Sierra Wireless AirLink devices, where attackers can abuse a file upload function to overwrite existing executable files.

Federal agencies are now required to remediate or discontinue affected devices by January 2, 2026, as the product has reached end-of-support.

CVE-2018-4063 is an unrestricted file upload vulnerability in the /cgi-bin/upload.cgi endpoint of the ACEManager interface.

Attackers can upload a file using the same name as an existing executable, such as fw_upload_init.cgi. Because the application does not restrict overwriting files, the uploaded payload inherits the original file’s execution permissions.

Compounding the risk, ACEManager runs as root, meaning any uploaded script or binary executes with full system privileges.

This design flaw enables attackers with valid credentials to achieve complete device compromise through a single HTTP request.

Successful exploitation provides attackers with persistent, privileged access to industrial routers.

Such access can be leveraged to deploy malware, disrupt network traffic, pivot into adjacent systems, or conscript devices into botnets and cryptomining operations.

Honeypot research shows that industrial routers are among the most frequently targeted devices in OT environments, underscoring the real-world relevance of this vulnerability.

This case highlights a persistent challenge in infrastructure security: unpatched legacy vulnerabilities in long-lived devices.

Even years after disclosure, flaws like CVE-2018-4063 remain exploitable due to limited patching, operational constraints, or devices operating beyond their supported lifecycle.

For critical infrastructure operators, such weaknesses represent a silent but systemic risk.

Security researchers note that recent exploitation activity appears opportunistic rather than highly targeted.

Forescout attributed earlier abuse of this vulnerability to a threat cluster labeled Chaya_005, which conducted broad reconnaissance across multiple vendors rather than sustained exploitation.

While the immediate threat may have diminished, the vulnerability’s inclusion in the KEV catalog signals continued concern.