CVE-2025-46612
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary commands on Airleader Master and Easy systems by uploading malicious JSP files through the Panel Designer dashboard. Attackers must first authenticate to the administrator console, which often uses weak default credentials. Organizations using affected versions of these industrial control systems are at risk.
💻 Affected Systems
- Airleader Master
- Airleader Easy
📦 What is this software?
Easy Firmware by Airleader
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise leading to complete control of industrial processes, data theft, or disruption of critical operations.
Likely Case
Unauthorized command execution allowing attackers to install backdoors, exfiltrate data, or pivot to other systems.
If Mitigated
Limited impact if strong authentication and file upload restrictions are in place.
🎯 Exploit Status
Exploitation requires authentication but default credentials are weak. File upload to wizard/workspace.jsp endpoint is unrestricted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.36
Vendor Advisory: https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-036.txt
Restart Required: Yes
Instructions:
1. Download Airleader Master/Easy version 6.36 from official vendor sources. 2. Backup current configuration and data. 3. Install the update following vendor documentation. 4. Restart the system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Restrict File Uploads
allImplement web application firewall rules to block JSP file uploads to wizard/workspace.jsp endpoint.
# WAF rule example: deny uploads to */wizard/workspace.jsp with .jsp extensions
Change Default Credentials
allImmediately change all default administrator passwords to strong, unique credentials.
# Use Airleader console to change admin password to complex 16+ character password
🧯 If You Can't Patch
- Isolate affected systems from internet and restrict network access to authorized personnel only.
- Implement strict monitoring of file upload activities and JSP file execution on the system.
🔍 How to Verify
Check if Vulnerable:
Check system version via Airleader console. If version is below 6.36, system is vulnerable.Check Version:
Check version in Airleader Master/Easy administration console under System Information.Verify Fix Applied:
Confirm system version is 6.36 or higher and test that JSP file uploads to wizard/workspace.jsp are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unusual JSP file uploads to wizard/workspace.jsp
- Multiple failed login attempts followed by successful admin login
- Execution of unexpected system commands
Network Indicators:
- POST requests to /wizard/workspace.jsp with file uploads
- Outbound connections from Airleader system to unknown IPs
SIEM Query:
source="airleader" AND (uri="/wizard/workspace.jsp" OR file_extension=".jsp")