CVE-2018-4070

Vulnerability

CVE-2018-4070 is an information disclosure vulnerability in the ACEManager Embedded_Ace_Get_Task.cgi endpoint of Sierra Wireless AirLink ES450 firmware version 4.9.3 [1]. The binary does not enforce any restricted configuration settings, meaning any authenticated user who discovers a valid MSCIID can retrieve arbitrary configuration values, including plaintext passwords and SNMP community strings [1]. The affected firmware is 4.9.3 for the ES450, and the vendor notes the GX450 product is likely also affected [1].

Exploitation

An attacker must have network access to the ACEManager web server and valid authenticated session credentials (at least a low-privilege user) [1]. The web server is not accessible by default from the Cellular WAN, but is reachable on the LAN side [1]. The attacker crafts an HTTP GET request to /cgi-bin/Embedded_Ace_Get_Task.cgi with a known or brute-forced MSCIID parameter; no special user role is required because the endpoint does not check which configuration keys the user is allowed to read [1].

Impact

Successful exploitation leads to exposure of sensitive device configuration data, including plaintext credentials (passwords) and SNMP community strings [1]. This enables the attacker to further compromise the device or the network it manages via credential reuse or SNMP-based attacks. The vulnerability is classified as CWE-200 (Information Exposure), with a CVSSv3 score of 7.7 (High) and impacts confidentiality only, with scope change (S:C) [1].

Mitigation

As of the Talos advisory (TALOS-2018-0755), Sierra Wireless had not released a firmware update to address this issue [1]. Users should restrict LAN access to the ACEManager web interface using firewall rules, and ensure HTTPS is enforced to prevent credential sniffing during exploitation. No workaround fully eliminates the vulnerability, but disabling the ACEManager service if not required may reduce exposure [1]. No KEV listing exists for this CVE.