CVE-2018-4071
Description
An exploitable Information Disclosure vulnerability exists in the ACEManager EmbeddedAceGet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The EmbeddedAceTLGet_Task.cgi executable is used to retrieve MSCII configuration values within the configuration manager of the AirLink ES450. This binary does not have any restricted configuration settings, so once the MSCIID is discovered, any authenticated user can send configuration changes using the /cgi-bin/Embedded_Ace_TLGet_Task.cgi endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An information disclosure vulnerability in Sierra Wireless AirLink ES450 ACEManager allows authenticated users to retrieve plaintext passwords and SNMP community strings.
Vulnerability
The vulnerability resides in the Embedded_Ace_Get_Task.cgi endpoint of the ACEManager web server on the Sierra Wireless AirLink ES450 running firmware version 4.9.3. This CGI script retrieves MSCII configuration values without enforcing access restrictions, allowing any authenticated user to query sensitive settings. The issue also likely affects the AirLink GX450 product [1].
Exploitation
An attacker must first obtain valid credentials for the ACEManager web interface or have local access to the device to run the binary directly. Once authenticated, a specially crafted HTTP request to /cgi-bin/Embedded_Ace_TLGet_Task.cgi (or the equivalent endpoint) triggers the information disclosure. The attacker needs to know the MSCIID, which can be discovered through other means [1].
Impact
Successful exploitation results in the exposure of confidential configuration data, including plaintext passwords and SNMP community strings. This information can be used to further compromise the device or the network. The CVSSv3 score is 7.7 (High) with a confidentiality impact of High and no impact on integrity or availability [1].
Mitigation
As of the advisory publication date, no patch has been released by Sierra Wireless. The vendor notes that the ACEManager web application is not accessible by default from the Cellular WAN, which may reduce the attack surface. No official workaround is provided; users should restrict network access to the management interface and monitor for suspicious activity [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sierra Wireless/AirLink ES450description
- Range: =4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Embedded_Ace_TLGet_Task.cgi binary does not enforce any access restrictions on which MSCII configuration values can be retrieved, allowing any authenticated user to query sensitive settings including plaintext passwords."
Attack vector
An attacker who has already obtained valid credentials for the ACEManager web interface (or who can execute binaries via SSH) can send a crafted POST request to the /cgi-bin/Embedded_Ace_TLGet_Task.cgi endpoint with a known MSCII ID (e.g., colsid=5003 for the user password) [ref_id=1]. The binary has -rwxr-xr-x permissions, so it can also be invoked directly from an SSH session, bypassing any web-UI restrictions [ref_id=1]. The ACEManager web application is not accessible by default from the Cellular WAN, so the attacker must first reach the device on the LAN or management network [ref_id=1].
Affected code
The vulnerable endpoint is /cgi-bin/Embedded_Ace_TLGet_Task.cgi on the Sierra Wireless AirLink ES450 running firmware version 4.9.3 [ref_id=1]. The binary has file permissions -rwxr-xr-x, making it executable outside the web UI (e.g., over SSH) [ref_id=1]. The advisory states the AirLink GX450 is likely also affected [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix description [ref_id=1]. The recommended remediation is to implement proper authorization checks within the Embedded_Ace_TLGet_Task.cgi binary so that only privileged users (or specific MSCIID values) can retrieve sensitive configuration data such as plaintext passwords. Without such access controls, any authenticated user—or any user with shell access—can read all device configuration values.
Preconditions
- networkAttacker must have network access to the device on the LAN or management network (the ACEManager web app is not accessible by default from Cellular WAN)
- authAttacker must possess valid credentials for the ACEManager web interface (or have shell access via SSH)
- inputAttacker must know the target MSCII ID (e.g., 5003 for the user password)
Reproduction
The advisory includes a proof-of-concept Python script that authenticates to the ACEManager XML API and then retrieves the session cookie [ref_id=1]. To reproduce: 1) Authenticate via POST to /xml/Connect.xml with valid credentials to obtain a token cookie. 2) Send a POST request to /cgi-bin/Embedded_Ace_TLGet_Task.cgi with the body "rows=1&colsid=5003" and the token cookie. The response will contain the plaintext password for the device [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0755mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.