Every CVE whose affected-product data names Sierrawireless Aleos, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (30)
CVE-2015-2897 — CVSS 10.0 (critical): Sierra Wireless ALEOS before 4.4.2 on AirLink ES, GX, and LS devices has hardcoded root accounts, which makes it easier for remote…
CVE-2019-11851 — CVSS 9.8 (critical): The ACENet service in Sierra Wireless ALEOS before 4.4.9, 4.5.x through 4.9.x before 4.9.5, and 4.10.x through 4.13.x before 4.14.0 allows…
CVE-2018-10251 — CVSS 9.8 (critical): A vulnerability in Sierra Wireless AirLink GX400, GX440, ES440, and LS300 routers with firmware before 4.4.7 and GX450, ES450, RV50, RV50X…
CVE-2019-11857 — CVSS 9.1 (critical): Lack of input sanitization in AceManager of ALEOS before 4.12.0, 4.9.5 and 4.4.9 allows disclosure of sensitive system information.
CVE-2022-46649 — CVSS 8.8 (high): Acemanager in ALEOS before version 4.16 allows a user with valid credentials to manipulate the IP logging operation to execute arbitrary…
CVE-2023-40465 — CVSS 8.3 (high): Several versions of ALEOS, including ALEOS 4.16.0, include an opensource third-party component which can be exploited from the local area…
CVE-2023-40461 — CVSS 8.1 (high): The ACEManager component of ALEOS 4.16 and earlier allows an authenticated user with Administrator privileges to access a file upload field…
CVE-2023-40463 — CVSS 8.1 (high): When configured in debugging mode by an authenticated user with administrative privileges, ALEOS 4.16 and earlier store the SHA512 hash of…
CVE-2019-11855 — CVSS 8.1 (high): An RPC server is enabled by default on the gateway's LAN of ALEOS before 4.12.0, 4.9.5, and 4.4.9.
CVE-2023-40464 — CVSS 8.1 (high): Several versions of ALEOS, including ALEOS 4.16.0, use a hardcoded SSL certificate and private key. An attacker with access to these items…
CVE-2020-8781 — CVSS 7.8 (high): Lack of input sanitization in UpdateRebootMgr service of ALEOS 4.11 and later allow an escalation to root from a low-privilege process.
CVE-2023-40458 — CVSS 7.5 (high): Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Sierra Wireless, Inc ALEOS could potentially allow a remote…
CVE-2023-38321 — CVSS 7.5 (high): OpenNDS, as used in Sierra Wireless ALEOS before 4.17.0.12 and other products, allows remote attackers to cause a denial of service (NULL…
CVE-2023-40462 — CVSS 7.5 (high): The ACEManager component of ALEOS 4.16 and earlier does not perform input sanitization during authentication, which could potentially…
CVE-2023-40459 — CVSS 7.5 (high): The ACEManager component of ALEOS 4.16 and earlier does not adequately perform input sanitization during authentication, which could…
CVE-2020-8782 — CVSS 7.5 (high): Unauthenticated RPC server on ALEOS before 4.4.9, 4.9.5, and 4.14.0 allows remote code execution.
CVE-2019-11847 — CVSS 7.3 (high): An improper privilege management vulnerabitlity exists in ALEOS before 4.11.0, 4.9.4 and 4.4.9. An authenticated user can escalate to root…
CVE-2023-40460 — CVSS 7.1 (high): The ACEManager component of ALEOS 4.16 and earlier does not validate uploaded file names and types, which could potentially allow an…
CVE-2019-11850 — CVSS 6.3 (medium): A stack overflow vulnerabiltity exist in the AT command interface of ALEOS before 4.11.0. The vulnerability may allow code execution
CVE-2019-11849 — CVSS 6.3 (medium): A stack overflow vulnerabiltity exists in the AT command APIs of ALEOS before 4.11.0. The vulnerability may allow code execution.
CVE-2019-11859 — CVSS 6.0 (medium): A buffer overflow exists in the SMS handler API of ALEOS before 4.13.0, 4.9.5, 4.9.4 that may allow code execution as root.
CVE-2019-11858 — CVSS 5.7 (medium): Multiple buffer overflow vulnerabilities exist in the AceManager Web API of ALEOS before 4.13.0, 4.9.5, and 4.4.9.
CVE-2022-46650 — CVSS 4.9 (medium): Acemanager in ALEOS before version 4.16 allows a user with valid credentials to reconfigure the device to expose the ACEManager credentials…
CVE-2015-6479 — CVSS 4.3 (medium): ACEmanager in Sierra Wireless ALEOS 4.4.2 and earlier on ES440, ES450, GX400, GX440, GX450, and LS300 devices allows remote attackers to…
CVE-2019-11848 — CVSS 4.1 (medium): An API abuse vulnerability exists in the AT command API of ALEOS before 4.13.0, 4.9.5, 4.4.9 due to lack of length checking when handling…
CVE-2019-11853 — CVSS 3.9 (low): Several potential command injections vulnerabilities exist in the AT command interface of ALEOS before 4.11.0, and 4.9.4.
CVE-2019-11852 — CVSS 3.7 (low): An out-of-bounds reads vulnerability exists in the ACEView Service of ALEOS before 4.13.0, 4.9.5, and 4.4.9. Sensitive information may be…
CVE-2019-11856 — CVSS 3.3 (low): A nonce reuse vulnerability exists in the ACEView service of ALEOS before 4.13.0, 4.9.5, and 4.4.9 allowing message replay. Captured…