CVE-2018-4073

Name of the Vulnerable Software and Affected Versions Sierra Wireless AirLink ES450 FW version 4.9.3

Description A Permission Assignment issue exists in the ACEManager EmbeddedAceSet Task.cgi functionality. The endpoint "/cgi-bin/Embeded Ace TLSet Task.cgi" allows for arbitrary setting writes, resulting in unverified changes to any system setting. An attacker can trigger this issue by making an authenticated HTTP request or running the binary as any user.

Recommendations For Sierra Wireless AirLink ES450 FW version 4.9.3, consider restricting access to the "/cgi-bin/Embeded Ace TLSet Task.cgi" endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the EmbeddedAceSet Task.cgi functionality until a patch is available.