CVE-2018-4067
Description
An exploitable information disclosure vulnerability exists in the ACEManager template_load.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can cause a information leak, resulting in the disclosure of internal paths and files. An attacker can make an authenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated attacker can exploit an information disclosure vulnerability in Sierra Wireless AirLink ES450 ACEManager template_load.cgi to leak internal file paths.
Vulnerability
The vulnerability resides in the /cgi-bin/template_load.cgi binary of the ACEManager web server on Sierra Wireless AirLink ES450 running firmware version 4.9.3. By sending a specially crafted HTTP request that bypasses the normal upload stage and directly accesses template_load.cgi with a directory traversal in the path parameter, an attacker can cause the device to disclose whether a given file exists or not, thereby leaking internal paths and filenames. The affected product is the ES450 with firmware versions prior to 4.9.4 [2][3].
Exploitation
The attacker must have authenticated access to the ACEManager web interface. No additional privileges are required. The attacker crafts an HTTP request to template_load.cgi with a traversed path (e.g., ../../etc/passwd). The device returns different error messages depending on whether the file exists, enabling the attacker to map the filesystem [3]. The attack is remotely exploitable over the network if the web interface is accessible [2][3].
Impact
Successful exploitation results in information disclosure. The attacker can enumerate internal file paths and confirm the existence of specific files on the device. This may expose sensitive configuration files, credentials, or other data stored on the filesystem. The CVSS v3 base score is 5.0 (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N) [3].
Mitigation
Sierra Wireless released firmware version 4.9.4 which remediates this vulnerability for the ES450 and GX450 devices. Users should upgrade to firmware version 4.9.4 or later [2]. As a workaround, if the ACEManager web interface is not required on the Cellular WAN, ensure it is not exposed to untrusted networks, as the vendor states the web application is not accessible by default from the Cellular WAN [3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sierra Wireless/AirLink ES450description
- Range: = 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `path` parameter in `template_load.cgi` allows directory traversal, enabling an attacker to probe for the existence of arbitrary files on the device."
Attack vector
An authenticated attacker sends a crafted HTTP POST request to `/cgi-bin/template_load.cgi` with a `path` parameter containing directory traversal sequences (e.g., `path=/www/auth/user/../../../etc/shadow`). The endpoint returns different HTTP status codes depending on whether the target file exists — a "501 Internal Error" when the file does not exist and a "400 Bad Request" when it does. By observing these status codes, an attacker can enumerate the existence of arbitrary files on the device filesystem [ref_id=1]. Authentication is required, but the attacker only needs a low-privilege "user" account [CWE-200].
Affected code
The vulnerability resides in the `/cgi-bin/template_load.cgi` binary of the ACEManager web server on the Sierra Wireless AirLink ES450 (FW 4.9.3). This CGI endpoint is responsible for loading previously uploaded template files for device configuration. The `path` parameter is not sanitized, allowing directory traversal sequences such as `../../../` to be injected.
What the fix does
The advisory does not include a patch diff or specific remediation code. The vendor acknowledged the disclosure on 2018-12-17 and established a timeline for a fix, but no patch details are present in the bundle [ref_id=1]. To remediate this vulnerability, the `template_load.cgi` endpoint should validate and sanitize the `path` parameter to reject directory traversal sequences, ensuring that only files within an allowed template directory can be accessed.
Preconditions
- authAttacker must have valid credentials for a 'user' account on the ACEManager web interface
- networkThe ACEManager web server must be network-accessible (the vendor states it is not accessible by default from the Cellular WAN)
- networkAttacker must be able to send HTTP POST requests to /cgi-bin/template_load.cgi
Reproduction
1. Authenticate to the ACEManager web interface as a "user" account (e.g., using the provided Python PoC's `auth()` function which POSTs to `/xml/Connect.xml`). 2. Send a POST request to `/cgi-bin/template_load.cgi` with `Content-Type: application/x-www-form-urlencoded` and a body like `path=/www/auth/user/../../../etc/shadows`. 3. If the response contains `Status: 501 Internal Error`, the file does not exist. 4. If the response contains `Status: 400 Bad Request`, the file exists. The PoC script in [ref_id=1] automates this process.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/152652/Sierra-Wireless-AirLink-ES450-ACEManager-template_load.cgi-Information-Disclosure.htmlmitrex_refsource_MISC
- www.securityfocus.com/bid/108147mitrevdb-entryx_refsource_BID
- ics-cert.us-cert.gov/advisories/ICSA-19-122-03mitrex_refsource_MISC
- talosintelligence.com/vulnerability_reports/TALOS-2018-0752mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.