Sierra Wireless AirLink ALEOS (Update B)
Act NowCVSS 9.1ICS-CERT ICSA-19-122-03May 2, 2019
Sierra Wireless
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
Sierra Wireless ALEOS firmware contains multiple critical vulnerabilities (CWE-78 remote code execution, CWE-798 hardcoded credentials, CWE-434 unrestricted file upload, CWE-79 cross-site scripting, CWE-352 CSRF, CWE-200 information disclosure). Successful exploitation allows remote code execution, credential disclosure, unauthorized file upload, and path enumeration. Affected products: MP70, MP70E, RV50, RV50X, LX40, LX60 (all versions before 4.12); LS300, GX400, GX440, ES440 (all versions before 4.4.9); GX450, ES450 (all versions before 4.9.4).
What this means
What could happen
An attacker with network access to these AirLink devices could remotely execute arbitrary commands, potentially seizing control of critical infrastructure like cellular gateways, remote access points, and industrial routers that manage utility operations. This could disrupt communications, alter network settings, or cause complete device compromise.
Who's at risk
This affects mid-sized utilities and municipalities that use Sierra Wireless AirLink cellular gateways and remote access devices for critical infrastructure monitoring and control. Specific equipment: MP70/MP70E/RV50/RV50X (industrial cellular routers), LX40/LX60 (industrial WiFi/LTE devices), LS300 (industrial location server), GX400/GX440/ES440 (industrial cellular and edge gateways), GX450/ES450 (cellular edge servers). Any organization using these for SCADA, remote facility management, or utility operations is at risk.
How it could be exploited
An attacker on the network (or Internet if the device is exposed) can send a crafted request to the ALEOS web interface or exploit hardcoded credentials to gain administrative access. From there, the attacker can upload malicious files, execute system commands via RCE vulnerabilities, or extract sensitive data and configuration files containing credentials.
Prerequisites
- Network access to the device's management interface (web port, typically 80/443)
- No authentication required for some vulnerabilities (hardcoded credentials or unauthenticated endpoints)
- Device must be running a vulnerable firmware version (before 4.12, 4.4.9, or 4.9.4 depending on product)
Remotely exploitableNo authentication required (hardcoded credentials)Low attack complexityActively exploited (KEV)EPSS score 71.9% (very high)Affects critical infrastructure devicesRemote code execution capability
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
MP70 MP70E RV50 RV50X LX40 and LX60: All< 4.124.12
LS300 GX400 GX440 and ES440: All< 4.4.94.4.9
GX450 and ES450: All< 4.9.44.9.4.p09
Remediation & Mitigation
0/8
Do now
0/6HOTFIXUpgrade MP70, MP70E, RV50, RV50X, LX40, LX60 to ALEOS 4.12 or later
HOTFIXUpgrade LS300, GX400, GX440, ES440 to ALEOS 4.4.9 or later
HOTFIXUpgrade GX450, ES450 to ALEOS 4.9.4.p09 or later
HARDENINGSet strong passwords (per NIST SP800-63B) for all user accounts, including web console, AAF user (if enabled), and Telnet/SSH console accounts
WORKAROUNDDisable Telnet and SSH if not required; if enabled, restrict access via firewall rules
HARDENINGUse HTTPS only for ACEmanager connections; ensure modern browser with CSRF protection
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGDeploy Snort rules 48600, 48635, 48614-48621, 48747 to detect exploitation attempts
Long-term hardening
0/1HARDENINGPlace all AirLink devices behind firewall; isolate from Internet and business network; use VPN for required remote access
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/bfa1b254-d1c9-4ae2-978a-6f370ae6d005Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.