CVE-2022-46649: OS Command Injection

Reference Links

• https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2023-001/
• https://www.cisa.gov/uscert/ics/advisories/icsa-23-026-04
• https://www.otorio.com/blog/airlink-acemanager-vulnerabilities/
• https://www.cisa.gov/news-events/ics-advisories/icsa-23-026-04 (Advisory)

Parent vulnerabilities

(Appears in the following advisories)

• ICSA-23-026-04

Frequently Asked Questions

• What is CVE-2022-46649?

  CVE-2022-46649 is a vulnerability in Acemanager in ALEOS before version 4.16 that allows a user with valid credentials to manipulate the IP logging operation to execute arbitrary shell commands on the device.

• What software versions are affected by CVE-2022-46649?

  CVE-2022-46649 affects Sierra Wireless Aleos versions up to and including 4.9.7 and 4.16.0.

• How severe is CVE-2022-46649?

  CVE-2022-46649 has a severity rating of 8.8 (high).

• How can the vulnerability be exploited?

  The vulnerability in Acemanager allows a user with valid credentials to manipulate the IP logging operation to execute arbitrary shell commands on the device.

• How can I fix CVE-2022-46649?

  To fix CVE-2022-46649, update your Acemanager software to version 4.16 or later.