CVE-2026-1358
📋 TL;DR
Airleader Master versions 6.381 and prior have unrestricted file upload functionality on multiple webpages running with maximum privileges. This allows unauthenticated attackers to upload malicious files and achieve remote code execution on the server. Organizations using Airleader Master for industrial control systems are affected.
💻 Affected Systems
- Airleader Master
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Airleader Master server leading to full control of industrial processes, data theft, system disruption, and lateral movement to other ICS components.
Likely Case
Attackers gain shell access to the server, install persistence mechanisms, exfiltrate sensitive industrial data, and potentially disrupt operations.
If Mitigated
File uploads are blocked or properly validated, limiting attackers to denial-of-service attempts or information disclosure.
🎯 Exploit Status
Unrestricted file upload vulnerabilities are straightforward to exploit. Attackers can upload webshells or executable payloads directly.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.382 or later (assumed from CVE pattern)
Vendor Advisory: https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10
Restart Required: Yes
Instructions:
1. Contact Airleader vendor for patched version 2. Backup configuration and data 3. Install update following vendor instructions 4. Restart system 5. Verify functionality
🔧 Temporary Workarounds
Network Segmentation
allIsolate Airleader Master systems from untrusted networks using firewalls
Web Application Firewall
allDeploy WAF with file upload restrictions and malicious content detection
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to Airleader Master only from authorized sources
- Deploy file integrity monitoring and endpoint detection on the Airleader Master server to detect unauthorized file uploads
🔍 How to Verify
Check if Vulnerable:
Check Airleader Master version in web interface or configuration files. If version is 6.381 or earlier, system is vulnerable.Check Version:
Check web interface or consult vendor documentation for version checking methodVerify Fix Applied:
Verify version is 6.382 or later. Test file upload functionality to ensure proper validation is implemented.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads to Airleader webpages
- Execution of unexpected processes on Airleader server
- Webshell or malicious file creation in web directories
Network Indicators:
- HTTP POST requests with file uploads to Airleader endpoints from unauthorized sources
- Outbound connections from Airleader server to suspicious IPs
SIEM Query:
source="airleader_web_logs" AND (method="POST" AND uri CONTAINS "upload" OR uri CONTAINS "file")