Skip to main content

Easy Firmware CVE-2025-46612

| EUVD-2025-17692 HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2025-06-10 cve@mitre.org
File Upload Easy Firmware
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17692
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
PoC Detected
Oct 16, 2025 - 20:57 vuln.today
Public exploit code
CVE Published
Jun 10, 2025 - 15:15 nvd
HIGH 7.2

DescriptionCVE.org

The Panel Designer dashboard in Airleader Master and Easy before 6.36 allows remote attackers to execute arbitrary commands via a wizard/workspace.jsp unrestricted file upload. To exploit this, the attacker must login to the administrator console (default credentials are weak and easily guessable) and upload a JSP file via the Panel Designer dashboard.

AnalysisAI

CVE-2025-46612 is an unrestricted file upload vulnerability in Airleader Master and Easy versions prior to 6.36 that allows authenticated administrators to execute arbitrary commands on the server via malicious JSP file uploads through the Panel Designer dashboard. While requiring high-privilege credentials (administrator login), the vulnerability is particularly dangerous due to weak default credentials and the ease of exploitation. No active KEV designation or widespread POC availability has been confirmed, but the straightforward attack vector and high impact make this a significant priority for organizations using affected versions.

Technical ContextAI

This vulnerability exists in the wizard/workspace.jsp endpoint of Airleader's Panel Designer dashboard component. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the application fails to properly validate, sanitize, or restrict the file types uploaded by users. The vulnerability allows JSP (JavaServer Pages) files to be uploaded and executed within the web application context. JSP is a server-side templating technology that enables dynamic code execution on the application server. The affected products are Airleader Master (CPE: cpe:2.3:a:airleader:airleader_master) and Airleader Easy (CPE: cpe:2.3:a:airleader:airleader_easy), with versions before 6.36 being vulnerable. The attack surface is the web-based administrative console, which should be restricted but is often accessible to organizational administrators.

RemediationAI

  1. IMMEDIATE: Upgrade Airleader Master and Easy installations to version 6.36 or later, which patches the unrestricted file upload vulnerability. 2) CRITICAL: Change all default administrator credentials to strong, unique passwords immediately, as weak defaults are a primary exploitation factor in this CVE. 3) INTERIM MITIGATION (if upgrade is delayed): Implement network-level access controls to restrict administrative console access to trusted IP addresses/VPNs only; disable or restrict the Panel Designer dashboard if not actively used; implement web application firewall (WAF) rules to block JSP file uploads to the wizard/workspace.jsp endpoint; monitor file upload logs for suspicious .jsp file submissions. 4) POST-REMEDIATION: Audit administrator accounts for unauthorized access; review audit logs for suspicious file uploads or command execution during the vulnerable period; verify no malicious JSP files remain on the system. Consult official Airleader security advisories and patch release notes for version-specific remediation steps.

Share

CVE-2025-46612 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy