CVE-2018-4068
Description
An exploitable information disclosure vulnerability exists in the ACEManager functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A HTTP request can result in disclosure of the default configuration for the device. An attacker can send an unauthenticated HTTP request to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated HTTP request to the ACEManager web server on Sierra Wireless AirLink ES450 FW 4.9.3 discloses the device's default configuration, including the plaintext default password.
Vulnerability
The ACEManager web server in Sierra Wireless AirLink ES450 firmware version 4.9.3 exposes the device's default configuration file at /defaults.xml without requiring any authentication [1]. This file contains all factory-reset settings, including the default administrative password in plain text. The vulnerability exists because the web server does not enforce access controls on this endpoint. The ACEManager is not accessible by default from the Cellular WAN, but it is reachable from the local network [1].
Exploitation
An attacker with network access to the ACEManager interface (typically on TCP port 9191) can send a simple unauthenticated HTTP GET request to /defaults.xml [1]. No prior authentication, user interaction, or special privileges are required. The request can be made using any HTTP client, such as a web browser or curl.
Impact
Successful exploitation results in disclosure of the device's default configuration, which includes the default administrative password in plain text [1]. This information could allow an attacker to gain administrative access to the device if the default credentials have not been changed. The impact is limited to information disclosure (CWE-200) with low confidentiality impact, as the attacker does not obtain live configuration or session data.
Mitigation
As of the publication date, no firmware update has been announced by Sierra Wireless to address this vulnerability [1]. Mitigation steps include restricting network access to the ACEManager interface to trusted networks only, changing the default administrative password immediately after device deployment, and monitoring for unauthorized access attempts. Users should contact Sierra Wireless for potential firmware updates.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sierra Wireless/AirLink ES450description
- Range: = 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The ACEManager web server exposes the default configuration file `/defaults.xml` without requiring any authentication."
Attack vector
An unauthenticated attacker sends a simple HTTP GET request to the ACEManager web server at the path `/defaults.xml` [ref_id=1]. The server responds with the device's default configuration, which includes the default password in plain text [ref_id=1]. The request requires no special privileges, no prior knowledge, and can be sent over the network as long as the web server is reachable [ref_id=1].
Affected code
The ACEManager web server on the Sierra Wireless AirLink ES450 (FW 4.9.3) serves the file `/defaults.xml`, which is stored on the device at `/www/pub/defaults.xml`. No authentication is required to access this endpoint [ref_id=1].
What the fix does
The advisory does not include a patch diff or specific remediation code. The vendor was notified and acknowledged the issue, and a timeline for a fix was established, but no patch details are provided in the reference [ref_id=1]. To close the vulnerability, the ACEManager should require authentication before serving `/defaults.xml`, or remove the file from the publicly accessible web root [ref_id=1].
Preconditions
- networkThe ACEManager web server must be network-accessible (the vendor states it is not accessible by default from the Cellular WAN, but it may be reachable via LAN or other interfaces)
- authNo authentication or prior knowledge is required
Reproduction
Send an unauthenticated HTTP GET request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0753mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.