CVE-2018-4069
Description
An information disclosure vulnerability exists in the ACEManager authentication functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The ACEManager authentication functionality is done in plaintext XML to the web server. An attacker can listen to network traffic upstream from the device to capitalize on this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sierra Wireless AirLink ES450 ACEManager transmits credentials in plaintext XML over HTTP, allowing network sniffing to capture administrator login.
Vulnerability
An information disclosure vulnerability exists in the ACEManager authentication functionality of Sierra Wireless AirLink ES450 firmware version 4.9.3. The ACEManager web server transmits user credentials in plaintext XML over HTTP when processing authentication requests to /xml/Connect.xml. This occurs because the communication channel is not encrypted, violating CWE-311 (Missing Encryption of Sensitive Data). The vulnerability affects the ES450 running FW 4.9.3, and by extension other AirLink ALEOS devices running versions prior to 4.9.4 (for GX450 and ES450) as indicated in ICSA-19-122-03 [2]. The vendor states the web application is not accessible by default from the Cellular WAN, meaning the attack surface is primarily on the local network side [3].
Exploitation
An attacker must have network access upstream from the device (i.e., be positioned to sniff traffic between the administrator and the ES450). No authentication is required on the attacker's part, but the attacker must be able to capture HTTP traffic destined for the ACEManager web server. The exploit step is simply passive listening: intercepting an HTTP POST request to /xml/Connect.xml that contains the administrator's credentials in cleartext XML. The attacker can then extract the login details from the captured request without any active manipulation [1][3].
Impact
Successful exploitation allows the attacker to obtain administrator credentials (username and password) for the ACEManager web interface. With these credentials, the attacker can authenticate to the device and gain full administrative access, which may lead to further compromise such as device reconfiguration, credential exposure, or pivoting to other systems on the network. The confidentiality of the credentials is directly breached, and successful logon grants the attacker an elevated privileged position on the device [2][3].
Mitigation
Sierra Wireless released firmware version 4.9.4 for the ES450 and GX450, which addresses this vulnerability by encrypting authentication traffic [2]. Users should upgrade to FW 4.9.4 or later. For devices that cannot be immediately patched, network segmentation should be employed to ensure that ACEManager is not accessible from untrusted networks, and administrators should only manage the device over a VPN or other encrypted channel. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. No other workaround has been published [2][3].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sierra Wireless/AirLink ES450description
- Range: = FW 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing encryption of sensitive data — ACEManager transmits user credentials in plaintext XML over HTTP."
Attack vector
An attacker who can observe network traffic upstream from the AirLink ES450 device can capture the plaintext authentication request sent to the ACEManager web server. The client POSTs an XML payload containing the login and password fields (wrapped in a CDATA section) to /xml/Connect.xml over HTTP on port 9191 [ref_id=1]. Because no TLS or other encryption is applied, the credentials are visible to any party with access to the network path between the client and the device. The vendor has stated that the ACEManager web application is not accessible by default from the Cellular WAN, so the attacker typically needs to be on the same LAN or upstream network segment [ref_id=1].
Affected code
The vulnerability resides in the ACEManager web server's authentication endpoint at /xml/Connect.xml on the Sierra Wireless AirLink ES450 (FW 4.9.3) [ref_id=1]. The server accepts credentials in plaintext XML over HTTP without enforcing encryption.
What the fix does
The advisory does not include a patch or remediation code. The vendor was notified on 2018-12-14 and acknowledged the issue, but no fix is published in the provided bundle [ref_id=1]. To close the vulnerability, the ACEManager web server should enforce HTTPS/TLS for all authentication requests so that credentials are encrypted in transit. Until a firmware update is available, administrators should restrict network access to the ACEManager interface and avoid exposing it on untrusted networks.
Preconditions
- networkAttacker must be able to sniff network traffic on the path between the client and the AirLink ES450 device (e.g., same LAN or upstream network segment).
- networkThe ACEManager web interface must be reachable from the attacker's network position (not blocked by firewall or WAN access controls).
Reproduction
1. Ensure the attacker has network access to the AirLink ES450's ACEManager web interface (default port 9191). 2. Run a packet capture tool (e.g., tcpdump, Wireshark) on the network path between the legitimate client and the device. 3. Wait for a user to authenticate, or use the provided Python PoC script to send a crafted authentication request: `python exploit.py <ip> <port> <password>` [ref_id=1]. 4. Observe the plaintext XML POST to /xml/Connect.xml containing the login and password fields in the captured traffic.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- packetstormsecurity.com/files/152654/Sierra-Wireless-AirLink-ES450-ACEManager-Information-Exposure.htmlmitrex_refsource_MISC
- www.securityfocus.com/bid/108147mitrevdb-entryx_refsource_BID
- ics-cert.us-cert.gov/advisories/ICSA-19-122-03mitrex_refsource_MISC
- talosintelligence.com/vulnerability_reports/TALOS-2018-0754mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.