VYPR
← All advisories
Unrated severityNVD Advisory· Published May 6, 2019· Updated Aug 5, 2024

CVE-2018-4062

CVE-2018-4062

Description

A hard-coded credentials vulnerability exists in the snmpd function of the Sierra Wireless AirLink ES450 FW 4.9.3. Activating snmpd outside of the WebUI can cause the activation of the hard-coded credentials, resulting in the exposure of a privileged user. An attacker can activate snmpd without any configuration changes to trigger this vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Hard-coded SNMPv3 credentials in Sierra Wireless AirLink ES450 FW 4.9.3 expose a privileged user when snmpd is activated outside the WebUI.

Vulnerability

The Sierra Wireless AirLink ES450 running firmware version 4.9.3 contains hard-coded SNMPv3 credentials (username "sierra", authentication passphrase "12345678", and privacy passphrase "abcdefgh") in the snmpd.conf file [3]. These credentials are activated when the snmpd service is started outside of the WebUI, without requiring any configuration changes [2][3]. The vulnerability is classified as CWE-798: Use of Hard-coded Credentials [2][3]. Affected products include the ES450 and GX450 running versions prior to 4.9.4 [2].

Exploitation

An attacker can trigger the vulnerability by activating the snmpd service outside of the WebUI, which does not require any prior configuration changes [2]. No authentication is needed to initiate this activation; the attacker only needs network access to the device. Once snmpd is running with the hard-coded credentials, the attacker can use standard SNMPv3 tools (e.g., snmpwalk) to query the device using the known credentials [3]. The attacker must know the hard-coded credentials, which are publicly disclosed in the Talos report [3].

Impact

Successful exploitation allows an attacker to gain read-write access to the device via SNMPv3 with the "sierra" user, which has privileged read-write permissions [3]. This can lead to information disclosure of device configuration and potentially allow modification of SNMP-manageable parameters. The CVSS v3 base score is 6.2 (medium severity) per CISA [2], while Talos assigned a score of 7.7 [3]. The attacker does not need any prior authentication to trigger the vulnerability.

Mitigation

Sierra Wireless released firmware version 4.9.4 for the ES450 and GX450 to address this vulnerability [2]. Users should update to version 4.9.4 or later. For other affected products (LS300, GX400, GX440, ES440 prior to 4.4.9; MP70, MP70E, RV50, RV50X, LX40, LX60 prior to 4.12), corresponding updates are available [2]. As a workaround, ensure snmpd is only activated through the WebUI and not via other means. No known exploitation in the wild has been reported as of the advisory publication.

References
  1. Sierra Wireless AirLink ALEOS (Update B) | CISA
  2. TALOS-2018-0747 || Cisco Talos Intelligence Group

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Hard-coded SNMPv3 credentials (sierra:12345678:abcdefgh) are left in default configuration files and become active when snmpd is started outside of the WebUI."

Attack vector

An attacker who can execute the snmpd daemon outside of the WebUI (e.g., via a root shell or another exploit) triggers the activation of hard-coded SNMPv3 credentials [ref_id=1]. The credentials are `sierra:12345678:abcdefgh`, where the user `sierra` has read-write privileges [ref_id=1]. Once snmpd is started this way, the attacker can perform an authenticated SNMPv3 walk of the device's MIB using a command such as `snmpwalk -v3 -u sierra -l authPriv -a MD5 -A 12345678 -x DES -X abcdefgh 192.168.13.31 -e 80001f8880e8e6831c32486858` [ref_id=1]. No configuration changes are needed to exploit this; the attacker only needs network access to the device and a way to start snmpd externally [ref_id=1].

Affected code

The vulnerability resides in two SNMP configuration files on the Sierra Wireless AirLink ES450 FW 4.9.3: `/usr/local/share/snmp/snmpd.conf` and `/var/net-snmp/snmpd.conf` [ref_id=1]. The first file contains a `rwuser sierra` directive granting read-write SNMPv3 access, and the second file contains a `createUser sierra MD5 "12345678" DES "abcdefgh"` line that defines the hard-coded credentials [ref_id=1].

What the fix does

The advisory does not include a patch or specific remediation code [ref_id=1]. The vendor was disclosed on 2018-12-14 and acknowledged the issue, but no fix is published in the provided bundle [ref_id=1]. The advisory notes that activating SNMP through the WebUI overwrites one of the two configuration files, which prevents the hard-coded credentials from being active — this suggests that the intended remediation is to ensure snmpd is only activated through the WebUI configuration path, or to remove the hard-coded `createUser` and `rwuser` entries from the default configuration files [ref_id=1].

Preconditions

  • inputAttacker must be able to start snmpd outside of the WebUI (e.g., via root shell or another exploit)
  • networkAttacker must have network access to the device to send SNMPv3 queries
  • configSNMP must not have been previously activated through the WebUI (which overwrites the vulnerable config files)

Reproduction

1. Start snmpd outside of the WebUI by executing `/usr/local/sbin/snmpd -f` on the device (requires shell access) [ref_id=1]. 2. From a remote machine, run: `snmpwalk -v3 -u sierra -l authPriv -a MD5 -A 12345678 -x DES -X abcdefgh 192.168.13.31 -e 80001f8880e8e6831c32486858` [ref_id=1]. 3. Observe that the snmpwalk succeeds and returns the full MIB tree, confirming read-write access with the hard-coded credentials [ref_id=1].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.