Sierra Wireless AirLink Router with ALEOS Software

Plan PatchCVSS 8ICS-CERT ICSA-23-026-04Jan 26, 2023

Sierra Wireless

Attack path

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Two vulnerabilities in Sierra Wireless ALEOS software allow information disclosure (CWE-200) and argument injection (CWE-88) on AirLink routers. Successful exploitation requires network access to the ACEManager management interface and valid device credentials, and could result in loss of sensitive information including encryption keys and credentials, or remote code execution on the router. Affected models include ES450, GX450, MP70, RV50, RV50x, RV55, LX 40, and LX60 running ALEOS software below version 4.16.0 (or 4.9.8 for older models).

What this means

What could happen

An attacker with access to the router's management interface could extract sensitive information or execute arbitrary code on the device, potentially disrupting WAN connectivity, compromising network traffic, or enabling pivot attacks into operational networks.

Who's at risk

Water authorities and utilities using Sierra Wireless AirLink routers (ES450, GX450, MP70, RV50, RV50x, RV55, LX 40, LX60) for WAN connectivity in SCADA networks, field device communication, or remote site management. These routers are commonly deployed as gateways to cellular or private networks for operational sites.

How it could be exploited

An attacker with network access to the ACEManager interface (default management port) and valid credentials could exploit argument injection or information disclosure vulnerabilities to execute commands on the router or read sensitive data such as configuration, authentication credentials, or encryption keys.

Prerequisites

Network access to ACEManager interface (typically accessible on LAN; WAN access depends on configuration)
Valid ALEOS device credentials (username/password)
Local or adjacent network position (CVSS vector AV:A indicates adjacent/local)

Low attack complexityRequires valid credentials (reduces risk but credentials may be shared or exposed)No patch available for ES450, GX450 modelsCan lead to remote code execution on critical network gatewayInformation disclosure of encryption keys and network credentials

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 pending

ProductAffected VersionsFix Status

AirLink Router with ALEOS Software: Airlink Router (ES450, GX450) running ALEOS software:≤ 4.9.7No fix yet

AirLink Router with ALEOS Software: Airlink Router (MP70, RV50, RV50x, RV55, LX 40, LX60) running ALEOS software:< 4.16.0No fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDDisable ACEManager access from the wide area network (WAN); use Sierra Wireless Airlink Management System (ALMS) or alternative device management platform for remote management instead

HARDENINGIf WAN access to ACEManager is required, restrict access using Private APN, VPN, or ALEOS Trusted IP feature to limit access to authorized hosts only

HARDENINGEnsure all ALEOS devices use strong, unique random credentials; verify non-default credentials are in place

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

AirLink Router with ALEOS Software: Airlink Router (MP70, RV50, RV50x, RV55, LX 40, LX60) running ALEOS software:

HOTFIXUpgrade MP70, RV50, RV50x, RV55, LX 40, LX60 to ALEOS version 4.16.0 or later

AirLink Router with ALEOS Software: Airlink Router (ES450, GX450) running ALEOS software:

HOTFIXUpgrade ES450, GX450 to ALEOS version 4.9.8 or later when available

CVEs (2)

CVE-2022-46649 CVE-2022-46650

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c8ae26c9-3160-4662-8ce3-8acfe01d945e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.