CVE-2018-4071

Name of the Vulnerable Software and Affected Versions Sierra Wireless AirLink ES450 FW version 4.9.3

Description An Information Disclosure issue exists in the ACEManager EmbeddedAceGet Task.cgi functionality. The EmbeddedAceTLGet Task.cgi executable is used to retrieve MSCII configuration values within the configuration manager. This binary lacks restricted configuration settings, allowing any authenticated user to send configuration changes using the "/cgi-bin/Embedded Ace TLGet Task.cgi" endpoint.

Recommendations For Sierra Wireless AirLink ES450 FW version 4.9.3, consider restricting access to the "/cgi-bin/Embedded Ace TLGet Task.cgi" endpoint to prevent unauthorized configuration changes until a fix is available.