CVE-2018-4061
Description
An exploitable command injection vulnerability exists in the ACEManager iplogging.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can inject arbitrary commands, resulting in arbitrary command execution. An attacker can send an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated command injection vulnerability in Sierra Wireless AirLink ES450 ACEManager iplogging.cgi allows remote code execution as root.
Vulnerability
A command injection vulnerability exists in the iplogging.cgi script of the ACEManager web interface on Sierra Wireless AirLink ES450 devices running firmware version 4.9.3. The -z flag passed to tcpdump is not properly sanitized, allowing an attacker to inject arbitrary OS commands. The vulnerability requires the -G flag to be set to define a rotation timeframe for the injected command to execute. Affected versions include all ES450 firmware prior to 4.9.4 [2][3].
Exploitation
An attacker must have authenticated access to the ACEManager web interface. The attacker sends a crafted POST request to /admin/tools/iplogging.cgi with a malicious -z parameter containing the injected command. The request triggers the command injection when the -G flag is also provided. The ACEManager is not accessible by default from the cellular WAN, but can be reached from the local network [3].
Impact
Successful exploitation allows arbitrary command execution as the root user, leading to full compromise of the device. The attacker can read, modify, or delete sensitive data, install malware, or pivot to other network resources. The CVSS v3 base score is 9.1 (Critical) with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H [2].
Mitigation
Sierra Wireless released firmware version 4.9.4 to address this vulnerability. Users should upgrade to 4.9.4 or later. If upgrading is not immediately possible, restrict network access to the ACEManager interface to trusted hosts only. No workaround is available that fully mitigates the vulnerability without patching [2][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sierra Wireless/AirLink ES450description
- Range: FW 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `-z` flag in the `tcpdumpParams` parameter is not sanitized or escaped, allowing an attacker to inject arbitrary commands that are executed as root via tcpdump's postrotate-command mechanism."
Attack vector
An authenticated attacker sends a POST request to `/admin/tools/iplogging.cgi` with a crafted `tcpdumpParams` value containing the `-z` flag followed by an arbitrary command and the `-G` flag to set a rotation timeframe [ref_id=1]. The `-z` flag is not properly escaped or removed, so tcpdump executes the injected command as root when the rotation triggers [ref_id=1]. The attacker must first authenticate to the ACEManager web interface, which is not accessible by default from the Cellular WAN [ref_id=1]. The vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command [ref_id=1].
Affected code
The vulnerability exists in the `iplogging.cgi` endpoint of the ACEManager web server on the Sierra Wireless AirLink ES450 [ref_id=1]. The `-z` flag passed via the `tcpdumpParams` parameter is not properly escaped or removed, allowing command injection [ref_id=1]. The AirLink GX450 is also likely affected [ref_id=1].
What the fix does
No patch is included in the bundle. The advisory does not specify a fix, but the vendor acknowledged the disclosure on 2018-12-17 and established timelines for a fix prior to the public release on 2019-04-25 [ref_id=1]. Proper remediation would involve sanitizing or rejecting the `-z` flag in the `tcpdumpParams` parameter to prevent command injection, or validating that only allowed flags and values are accepted.
Preconditions
- authAttacker must authenticate to the ACEManager web interface with valid credentials.
- networkAttacker must have network access to the ACEManager web server (port 9191 by default); the web application is not accessible by default from the Cellular WAN.
- inputAttacker must send a crafted POST request to /admin/tools/iplogging.cgi with a tcpdumpParams value containing the -z flag and an arbitrary command.
Reproduction
The advisory includes a Python proof-of-concept script that reproduces the vulnerability [ref_id=1]. The script authenticates to the device, then sends a POST request to `/admin/tools/iplogging.cgi` with `tcpdumpParams=tcpdump -z <cmd> -G 1 -i eth0&stateRequest=start`, where `<cmd>` is the attacker's command. The full PoC is provided in the reference write-up [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/152646/Sierra-Wireless-AirLink-ES450-ACEManager-iplogging.cgi-Command-Injection.htmlmitrex_refsource_MISC
- www.securityfocus.com/bid/108147mitrevdb-entryx_refsource_BID
- ics-cert.us-cert.gov/advisories/ICSA-19-122-03mitrex_refsource_MISC
- talosintelligence.com/vulnerability_reports/TALOS-2018-0746mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.