CVE-2018-4064
Description
An exploitable unverified password change vulnerability exists in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a unverified device configuration change, resulting in an unverified change of the user password on the device. An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated attacker can change the user password on Sierra Wireless AirLink ES450 without providing the current password via a crafted XML template upload.
Vulnerability
A CWE-620 unverified password change vulnerability exists in the ACEManager upload.cgi functionality of Sierra Wireless AirLink ES450 firmware version 4.9.3. The web server, which handles device reconfiguration and user authentication, allows authenticated users to upload XML templates that modify MSCIID settings. By crafting a template that includes the msciid="5003" item corresponding to User Password, an attacker can set a new password value without any verification of the current password. The ACEManager web application is not accessible by default from the Cellular WAN [1].
Exploitation
An attacker must first obtain valid authentication credentials for the device's Web UI. With those credentials, the attacker sends an HTTP request to the upload.cgi endpoint containing a specially crafted XML payload such as:
<?xml version="1.0" ?>
No interaction from the device administrator is required beyond the attacker's authenticated session. The attacker does not need to provide the current password [1].
Impact
Successful exploitation results in the attacker changing the device user password to a value of their choosing. This can lead to a full compromise of the device's administrative interface, enabling the attacker to alter other device configurations, potentially disrupting business-critical services such as point-of-sale devices or SCADA equipment. The CVSSv3 score is 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L), indicating high impact on integrity and availability [1].
Mitigation
Sierra Wireless released firmware update 4.9.4 on 2019-09-09 to address this vulnerability, as well as other issues. Users should upgrade to version 4.9.4 or later. No workarounds are documented for devices running the vulnerable firmware 4.9.3. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sierra Wireless/AirLink ES450 FWdescription
- Range: FW 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing verification of the current password when changing the user password via XML template upload in ACEManager's upload.cgi and template_load.cgi."
Attack vector
An authenticated attacker sends a specially crafted HTTP POST request to `/cgi-bin/upload.cgi` containing an XML template with an `item` element that sets `msciid="5003"` (User Password) to a new value [ref_id=1]. The attacker then sends a second POST request to `/cgi-bin/template_load.cgi` with the path to the uploaded template file, causing the device to apply the new password without requiring the old password [ref_id=1]. The attacker must already have valid authentication credentials (e.g., the default "user" password) and network access to the ACEManager web interface (typically on port 9191) [ref_id=1].
Affected code
The vulnerability resides in the ACEManager web server's `upload.cgi` and `template_load.cgi` functionality on the Sierra Wireless AirLink ES450 (FW 4.9.3) [ref_id=1]. The `upload.cgi` endpoint accepts XML template files that include MSCIID settings, and `template_load.cgi` applies those settings without verifying the user's current password [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific fix details [ref_id=1]. The vendor acknowledged the issue on 2018-12-17 and established timelines for a fix, with public disclosure occurring on 2019-04-25 [ref_id=1]. To remediate this vulnerability, the ACEManager should require the current password before allowing a password change via template upload, ensuring that the `upload.cgi` and `template_load.cgi` endpoints enforce the same verification as the normal password change flow [ref_id=1].
Preconditions
- authAttacker must have valid authentication credentials (e.g., the 'user' account password)
- networkAttacker must have network access to the ACEManager web interface (typically port 9191)
- networkThe ACEManager web application is not accessible by default from the Cellular WAN, so the attacker typically needs LAN access
Reproduction
The following Python proof-of-concept script (authored by Carl Hurd, Cisco Talos) reproduces the vulnerability [ref_id=1]:
```python #!/usr/bin/env python import sys import requests from requests_toolbelt.utils import dump
def auth(ip, port, password): data = """
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0749mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.