Sierra Wireless AirLink Router with ALEOS Software
Plan Patch8ICS-CERT ICSA-23-026-04Jan 26, 2023
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Two vulnerabilities in Sierra Wireless ALEOS software allow information disclosure (CWE-200) and argument injection (CWE-88) on AirLink routers. Successful exploitation requires network access to the ACEManager management interface and valid device credentials, and could result in loss of sensitive information including encryption keys and credentials, or remote code execution on the router. Affected models include ES450, GX450, MP70, RV50, RV50x, RV55, LX 40, and LX60 running ALEOS software below version 4.16.0 (or 4.9.8 for older models).
What this means
What could happen
An attacker with access to the router's management interface could extract sensitive information or execute arbitrary code on the device, potentially disrupting WAN connectivity, compromising network traffic, or enabling pivot attacks into operational networks.
Who's at risk
Water authorities and utilities using Sierra Wireless AirLink routers (ES450, GX450, MP70, RV50, RV50x, RV55, LX 40, LX60) for WAN connectivity in SCADA networks, field device communication, or remote site management. These routers are commonly deployed as gateways to cellular or private networks for operational sites.
How it could be exploited
An attacker with network access to the ACEManager interface (default management port) and valid credentials could exploit argument injection or information disclosure vulnerabilities to execute commands on the router or read sensitive data such as configuration, authentication credentials, or encryption keys.
Prerequisites
- Network access to ACEManager interface (typically accessible on LAN; WAN access depends on configuration)
- Valid ALEOS device credentials (username/password)
- Local or adjacent network position (CVSS vector AV:A indicates adjacent/local)
Low attack complexityRequires valid credentials (reduces risk but credentials may be shared or exposed)No patch available for ES450, GX450 modelsCan lead to remote code execution on critical network gatewayInformation disclosure of encryption keys and network credentials
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
AirLink Router with ALEOS Software: Airlink Router (ES450, GX450) running ALEOS software:≤ 4.9.7No fix yet
AirLink Router with ALEOS Software: Airlink Router (MP70, RV50, RV50x, RV55, LX 40, LX60) running ALEOS software:< 4.16.0No fix yet
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDDisable ACEManager access from the wide area network (WAN); use Sierra Wireless Airlink Management System (ALMS) or alternative device management platform for remote management instead
HARDENINGIf WAN access to ACEManager is required, restrict access using Private APN, VPN, or ALEOS Trusted IP feature to limit access to authorized hosts only
HARDENINGEnsure all ALEOS devices use strong, unique random credentials; verify non-default credentials are in place
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
AirLink Router with ALEOS Software: Airlink Router (MP70, RV50, RV50x, RV55, LX 40, LX60) running ALEOS software:
HOTFIXUpgrade MP70, RV50, RV50x, RV55, LX 40, LX60 to ALEOS version 4.16.0 or later
AirLink Router with ALEOS Software: Airlink Router (ES450, GX450) running ALEOS software:
HOTFIXUpgrade ES450, GX450 to ALEOS version 4.9.8 or later when available
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c8ae26c9-3160-4662-8ce3-8acfe01d945e