The Cybersecurity and Infrastructure Security Agency (CISA) has escalated a six-year-old vulnerability in Sierra Wireless AirLink gateways to critical status, adding CVE-2018-4063 to its Known Exploited Vulnerabilities (KEV) Catalog following confirmed evidence of active exploitation in the wild. This administrative directive, issued under Binding Operational Directive (BOD) 22-01, mandates that all Federal Civilian Executive Branch (FCEB) agencies must patch or mitigate this flaw by July 1, 2024, highlighting the persistent and dangerous lifecycle of vulnerabilities in operational technology (OT) and Internet of Things (IoT) devices. The move underscores a growing concern among cybersecurity professionals about the long-tail risk posed by unpatched industrial and networking equipment that often remains in service for decades, far beyond typical software support cycles.

The Vulnerability: CVE-2018-4063 Explained

CVE-2018-4063 is a critical authentication bypass vulnerability affecting the web management interface of specific Sierra Wireless AirLink cellular gateway and router models. According to the original CVE entry and subsequent analysis, the flaw resides in the ACEManager web interface. A remote, unauthenticated attacker could craft a specially crafted HTTP request to directly access configuration pages that should require authentication. Successful exploitation grants the attacker administrative access to the device's web interface, enabling them to view and modify sensitive network configurations, intercept traffic, or use the device as a pivot point into the broader organizational network.

Affected Sierra Wireless AirLink Models:
- AirLink RV50 LTE-A and 5G Routers (versions prior to ALEOS 4.9.9)
- AirLink RV50X LTE-A and 5G Routers (versions prior to ALEOS 4.9.9)
- ES450 LTE-A and 5G Gateways (versions prior to ALEOS 4.9.9)
- MP70 LTE-A and 5G Mobile Routers (versions prior to ALEOS 4.9.9)
- NEXUS 5G Gateways (versions prior to ALEOS 4.16.0)

The vulnerability is rooted in improper access control mechanisms within the ACEManager component. It received a CVSS v3 base score of 9.8 (Critical) due to the low attack complexity, lack of required privileges, and the high impact on confidentiality, integrity, and availability.

Why a 2018 Flaw is Now a 2024 Emergency

The addition of a six-year-old vulnerability to the KEV catalog is not an anomaly but a strategic response to a clear and present threat. CISA's KEV catalog is a dynamic list based on evidence of active exploitation, not just theoretical risk. Recent threat intelligence, likely from CISA's own sources, partners like the FBI and NSA, or commercial threat intelligence firms, has confirmed that malicious actors are actively scanning for and exploiting CVE-2018-4063 in real-world attacks.

This scenario is common in the OT/IoT space. Industrial control systems, medical devices, and network appliances like cellular gateways are often deployed for 10-20 years. Patching can be complex due to operational downtime requirements, geographic dispersion of devices, and a lack of dedicated IT security oversight for these "shadow IT" assets. Threat actors, including state-sponsored advanced persistent threat (APT) groups and ransomware affiliates, meticulously catalog such old, reliable vulnerabilities to gain initial access into critical infrastructure, manufacturing, logistics, and government networks.

Google searches for "CVE-2018-4063 exploit" reveal proof-of-concept code and detailed analysis has been publicly available for years, lowering the barrier to entry for less sophisticated attackers. The binding directive for federal agencies serves as a powerful signal to the entire public and private sector: if this flaw is being used against government networks, it is almost certainly being used against everyone else.

The Mandate: CISA's Binding Operational Directive 22-01

CISA's action is not a suggestion; it is a legal requirement for federal agencies. Under Binding Operational Directive (BOD) 22-01, established in November 2021, FCEB agencies are required to remediate vulnerabilities listed in the KEV catalog within specific timeframes. For CVE-2018-4063, the deadline is July 1, 2024.

The directive outlines a strict timeline:
1. Two weeks from catalog addition: Agencies must complete initial vulnerability identification and asset discovery.
2. Three weeks from catalog addition (by June 17, 2024): Agencies must either apply the available patch/update or implement CISA-approved mitigation measures.
3. Six weeks from catalog addition (by July 1, 2024): All remediation actions must be completed and reported.

Failure to comply requires agencies to submit a formal exception request with detailed justification and an alternative plan for managing the risk, which is subject to CISA review. This framework creates a powerful incentive for prompt action and establishes a model for enterprise patch management.

Sierra Wireless' Response and Patching Guidance

Sierra Wireless (now part of Semtech) originally addressed CVE-2018-4063 in 2018. The primary remediation is to update the affected devices to a patched version of the ALEOS operating system.

Official Patch Versions:
- For RV50, RV50X, ES450, and MP70 devices: Upgrade to ALEOS 4.9.9 or later.
- For NEXUS gateways: Upgrade to ALEOS 4.16.0 or later.

Organizations managing fleets of AirLink devices should immediately:
1. Inventory and Identify: Use Sierra Wireless' AirLink Management Service (ALMS) or other network discovery tools to locate all AirLink gateways and determine their current ALEOS version.
2. Plan the Update: Coordinate with operational teams to schedule updates. For remote or critical infrastructure devices, this may require maintenance windows.
3. Apply the Update: Follow Sierra Wireless' official firmware upgrade procedures. It is critical to download firmware directly from the official Sierra Wireless/Semtech support portal to avoid tampered versions.
4. Verify and Harden: After updating, verify the patch is applied and consider implementing additional network security controls, such as placing the devices on a dedicated VLAN, restricting management interface access to specific IP addresses via firewall rules, and disabling any unused services.

Broader Implications for IoT and OT Security

The CVE-2018-4063 mandate is a case study in the systemic challenges of IoT/OT cybersecurity. These devices form the connective tissue of modern critical infrastructure—from smart grids and water treatment plants to transportation systems and emergency responder communications. Their security is often an afterthought, characterized by:
- Long Lifecycles: Devices remain in use for 15+ years, outliving vendor support.
- Insecure by Design: Often built with default credentials, unencrypted communications, and vulnerable services enabled.
- Operational Constraints: Patching may require physically visiting remote sites or taking critical systems offline, creating resistance from operational technology (OT) teams.
- Visibility Gaps: Many organizations lack a complete asset inventory of their IoT/OT devices, making vulnerability management impossible.

CISA's action is part of a larger push, including initiatives like the "Secure by Design" pledge, to shift responsibility onto manufacturers and improve the security baseline of these essential technologies. For network administrators and security teams, this event is a stark reminder to expand vulnerability management programs beyond traditional servers and workstations to include all network-connected assets.

Actionable Steps for All Organizations

While the BOD 22-01 mandate directly applies to federal agencies, every organization using Sierra Wireless AirLink gateways or similar IoT/OT equipment should treat this with equal urgency.

Immediate Actions:
- Scan Your Network: Use tools like Nmap or dedicated asset discovery platforms to search for Sierra Wireless AirLink devices (common ports include 80, 443, 9200, 9201).
- Check Firmware Versions: Immediately log into the management interface of any found devices and check the ALEOS version against the patched list.
- Patch Immediately: If devices are vulnerable, plan and execute firmware updates as a top priority. If immediate patching is impossible, implement strict network-level controls as a temporary mitigation.

Strategic Security Posture Improvements:
- Create an IoT/OT Asset Registry: Maintain a dynamic inventory of all non-standard IT assets, including make, model, serial number, firmware version, and network location.
- Implement Network Segmentation: Isolate IoT/OT devices on separate network segments with firewall policies that restrict traffic to only necessary communications.
- Monitor for Anomalies: Deploy network detection and response (NDR) tools or configure SIEM alerts for unusual traffic patterns to or from these gateway devices.
- Subscribe to Threat Feeds: Follow CISA's KEV catalog, ICS-CERT advisories, and vendor security bulletins to stay informed about emerging threats to your infrastructure.

The re-emergence of CVE-2018-4063 as a critical threat in 2024 is a powerful lesson in cyber hygiene. It demonstrates that in the interconnected world of IoT, vulnerabilities never truly age out—they simply lie in wait for attackers to find them. Proactive, comprehensive asset management and a disciplined patch strategy are no longer optional for any organization reliant on these technologies for their core operations.