Sierra Wireless AirLink ALEOS (Update B)

Act Now9.1ICS-CERT ICSA-19-122-03May 2, 2019

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Sierra Wireless ALEOS firmware contains multiple critical vulnerabilities (CWE-78 remote code execution, CWE-798 hardcoded credentials, CWE-434 unrestricted file upload, CWE-79 cross-site scripting, CWE-352 CSRF, CWE-200 information disclosure). Successful exploitation allows remote code execution, credential disclosure, unauthorized file upload, and path enumeration. Affected products: MP70, MP70E, RV50, RV50X, LX40, LX60 (all versions before 4.12); LS300, GX400, GX440, ES440 (all versions before 4.4.9); GX450, ES450 (all versions before 4.9.4).

What this means

What could happen

An attacker with network access to these AirLink devices could remotely execute arbitrary commands, potentially seizing control of critical infrastructure like cellular gateways, remote access points, and industrial routers that manage utility operations. This could disrupt communications, alter network settings, or cause complete device compromise.

Who's at risk

This affects mid-sized utilities and municipalities that use Sierra Wireless AirLink cellular gateways and remote access devices for critical infrastructure monitoring and control. Specific equipment: MP70/MP70E/RV50/RV50X (industrial cellular routers), LX40/LX60 (industrial WiFi/LTE devices), LS300 (industrial location server), GX400/GX440/ES440 (industrial cellular and edge gateways), GX450/ES450 (cellular edge servers). Any organization using these for SCADA, remote facility management, or utility operations is at risk.

How it could be exploited

An attacker on the network (or Internet if the device is exposed) can send a crafted request to the ALEOS web interface or exploit hardcoded credentials to gain administrative access. From there, the attacker can upload malicious files, execute system commands via RCE vulnerabilities, or extract sensitive data and configuration files containing credentials.

Prerequisites

Network access to the device's management interface (web port, typically 80/443)
No authentication required for some vulnerabilities (hardcoded credentials or unauthenticated endpoints)
Device must be running a vulnerable firmware version (before 4.12, 4.4.9, or 4.9.4 depending on product)

Remotely exploitableNo authentication required (hardcoded credentials)Low attack complexityActively exploited (KEV)EPSS score 71.9% (very high)Affects critical infrastructure devicesRemote code execution capability

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

MP70 MP70E RV50 RV50X LX40 and LX60: All< 4.124.12

LS300 GX400 GX440 and ES440: All< 4.4.94.4.9

GX450 and ES450: All< 4.9.44.9.4.p09

Remediation & Mitigation

0/8

Do now

0/6

HOTFIXUpgrade MP70, MP70E, RV50, RV50X, LX40, LX60 to ALEOS 4.12 or later

HOTFIXUpgrade LS300, GX400, GX440, ES440 to ALEOS 4.4.9 or later

HOTFIXUpgrade GX450, ES450 to ALEOS 4.9.4.p09 or later

HARDENINGSet strong passwords (per NIST SP800-63B) for all user accounts, including web console, AAF user (if enabled), and Telnet/SSH console accounts

WORKAROUNDDisable Telnet and SSH if not required; if enabled, restrict access via firewall rules

HARDENINGUse HTTPS only for ACEmanager connections; ensure modern browser with CSRF protection

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDeploy Snort rules 48600, 48635, 48614-48621, 48747 to detect exploitation attempts

Long-term hardening

0/1

HARDENINGPlace all AirLink devices behind firewall; isolate from Internet and business network; use VPN for required remote access

CVEs (6)

CVE-2018-4061 CVE-2018-4062 CVE-2018-4063 CVE-2018-4066 CVE-2018-4067 CVE-2018-4069

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bfa1b254-d1c9-4ae2-978a-6f370ae6d005