ICSA-23-026-04 · Published 2023-01-26 · View on CISA ICS-CERT ↗

Sierra Wireless AirLink Router with ALEOS Software

CVSS 8.0 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow a loss of sensitive information and could allow remote code execution.

CVE-2022-46649 CVE-2022-46650

Upgrade MP70, RV50, RV50x, RV55, LX 40, LX60 to ALEOS version 4.16.0 or later
Upgrade ES450, GX450 to ALEOS version 4.9.8 (when available) or later
Always use strong, and ideally unique random credentials for devices. ALEOS devices ship with unique random credentials by default.
Disable access to ACEManager on the wide area network (WAN) and use the Sierra Wireless Airlink Management System (ALMS) or an alternative device management platform for remote management of ALEOS devices.
If the ACEManager must remain accessible via the WAN, restrict access using measures such as Private APN, VPN, or the ALEOS Trusted IP feature (restricts access to specific hosts).

Sierra Wireless

Sierra Wireless · Airlink Router (ES450, GX450) running ALEOS software <= 4.9.7

Sierra Wireless · Airlink Router (MP70, RV50, RV50x, RV55, LX 40, LX60) running ALEOS software < 4.16.0

Multiple

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.