CVE-2018-4072

Name of the Vulnerable Software and Affected Versions Sierra Wireless AirLink ES450 FW version 4.9.3

Description A Permission Assignment issue exists in the ACEManager EmbeddedAceSet Task.cgi functionality. The EmbeddedAceSet Task.cgi executable is used to change MSCII configuration values within the configuration manager. This binary lacks restricted configuration settings, allowing any authenticated user to send configuration changes using the "/cgi-bin/Embedded Ace Set Task.cgi" endpoint once the MSCIID is discovered.

Recommendations For Sierra Wireless AirLink ES450 FW version 4.9.3, consider restricting access to the "/cgi-bin/Embedded Ace Set Task.cgi" endpoint to prevent unauthorized configuration changes until a patch is available.