CVE-2018-4073
Description
An exploitable Permission Assignment vulnerability exists in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. The the binary the endpoint /cgi-bin/Embeded_Ace_TLSet_Task.cgi is a very similar endpoint that is designed for use with setting table values that can cause an arbitrary setting writes, resulting in the unverified changes to any system setting. An attacker can make an authenticated HTTP request, or run the binary as any user, to trigger this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An exploitable Permission Assignment vulnerability in Sierra Wireless AirLink ES450 FW 4.9.3 allows authenticated users to write arbitrary system settings via the ACEManager EmbeddedAceSet_Task.cgi endpoint.
Vulnerability
The vulnerability is a Permission Assignment issue in the ACEManager EmbeddedAceSet_Task.cgi functionality of Sierra Wireless AirLink ES450 firmware version 4.9.3. The endpoint /cgi-bin/Embeded_Ace_TLSet_Task.cgi allows arbitrary setting writes without proper permission checks, enabling any authenticated user to modify any system configuration parameter. The ACEManager web server is not accessible by default from the Cellular WAN [1]. The binary does not restrict configuration settings, so once the MSCIID is discovered, authenticated users can send configuration changes.
Exploitation
An attacker requires authenticated access to the device, either via an HTTP request or by running the binary as any user. The attacker must discover the MSCIID (a configuration key identifier) and then send a specially crafted request to the vulnerable endpoint to write arbitrary system settings [1].
Impact
Successful exploitation allows the attacker to change any system setting without verification, leading to potential information disclosure, denial of service, or privilege escalation. The CVSSv3 score is 9.9, indicating critical impact on confidentiality and integrity with low impact on availability [1].
Mitigation
As of the publication date, no fix has been publicly disclosed in the available reference. Sierra Wireless has noted that ACEManager is not accessible by default from the Cellular WAN, which may limit exposure [1]. Users should restrict network access to the device and monitor for updates from the vendor.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sierra Wireless/AirLink ES450description
- Range: = 4.9.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `/cgi-bin/Embeded_Ace_TLSet_Task.cgi` binary lacks any authorization checks on which configuration settings can be modified, allowing any authenticated user to change arbitrary system settings including passwords."
Attack vector
An authenticated attacker sends a crafted HTTP POST request to `/cgi-bin/Embeded_Ace_TLSet_Task.cgi` with a `colsid` parameter (the MSCIID) and a `data` parameter containing the desired value, such as `colsid=5003&data=password012` to change a user password [ref_id=1]. Because the binary has no restricted configuration settings, any authenticated user can modify arbitrary system settings including passwords, service enable/disable flags, and any other configuration value [ref_id=1]. Additionally, the binary's world-executable permissions allow a low-privilege user who has logged in over SSH to run it directly, bypassing the web interface entirely [ref_id=1].
Affected code
The vulnerability exists in the `/cgi-bin/Embeded_Ace_TLSet_Task.cgi` endpoint within the ACEManager web server on the Sierra Wireless AirLink ES450 (FW 4.9.3). The binary has `-rwxr-xr-x` permissions, making it executable outside the web UI, including over SSH [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. The recommended remediation is to restrict access to the `/cgi-bin/Embeded_Ace_TLSet_Task.cgi` endpoint so that only authorized administrators can invoke it, and to remove world-execute permissions from the binary to prevent execution by low-privilege users over SSH [ref_id=1]. The vendor has stated that the ACEManager web application is not accessible by default from the Cellular WAN, which partially mitigates remote exposure [ref_id=1].
Preconditions
- authAttacker must have valid authentication credentials (e.g., a 'user' account) to the ACEManager web interface or shell access to the device
- networkThe target device must have the ACEManager web server accessible on the network (default port 9191)
- inputThe attacker must know or discover the MSCIID (configuration setting identifier) for the target setting they wish to modify
Reproduction
The advisory includes a Python proof-of-concept script that authenticates to the ACEManager web interface and then sends a POST request to `/cgi-bin/Embeded_Ace_TLSet_Task.cgi` with the target MSCIID and value [ref_id=1]. For example, sending `colsid=5003&data=password012` changes the device password to "password012" [ref_id=1]. The script can also be run directly on the device over SSH since the binary has world-execute permissions [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2018-0756mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.