EUVD-2025-17692
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
The Panel Designer dashboard in Airleader Master and Easy before 6.36 allows remote attackers to execute arbitrary commands via a wizard/workspace.jsp unrestricted file upload. To exploit this, the attacker must login to the administrator console (default credentials are weak and easily guessable) and upload a JSP file via the Panel Designer dashboard.
Analysis
CVE-2025-46612 is an unrestricted file upload vulnerability in Airleader Master and Easy versions prior to 6.36 that allows authenticated administrators to execute arbitrary commands on the server via malicious JSP file uploads through the Panel Designer dashboard. While requiring high-privilege credentials (administrator login), the vulnerability is particularly dangerous due to weak default credentials and the ease of exploitation. No active KEV designation or widespread POC availability has been confirmed, but the straightforward attack vector and high impact make this a significant priority for organizations using affected versions.
Technical Context
This vulnerability exists in the wizard/workspace.jsp endpoint of Airleader's Panel Designer dashboard component. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), where the application fails to properly validate, sanitize, or restrict the file types uploaded by users. The vulnerability allows JSP (JavaServer Pages) files to be uploaded and executed within the web application context. JSP is a server-side templating technology that enables dynamic code execution on the application server. The affected products are Airleader Master (CPE: cpe:2.3:a:airleader:airleader_master) and Airleader Easy (CPE: cpe:2.3:a:airleader:airleader_easy), with versions before 6.36 being vulnerable. The attack surface is the web-based administrative console, which should be restricted but is often accessible to organizational administrators.
Affected Products
Airleader Master versions prior to 6.36; Airleader Easy versions prior to 6.36. Specifically affected components include the Panel Designer dashboard and its wizard/workspace.jsp endpoint. No specific CPE version ranges or patch version numbers were provided in the available intelligence, but vendor advisories should specify exact patch versions. Organizations should consult Airleader's security advisories for precise version boundaries and patch availability.
Remediation
1) IMMEDIATE: Upgrade Airleader Master and Easy installations to version 6.36 or later, which patches the unrestricted file upload vulnerability. 2) CRITICAL: Change all default administrator credentials to strong, unique passwords immediately, as weak defaults are a primary exploitation factor in this CVE. 3) INTERIM MITIGATION (if upgrade is delayed): Implement network-level access controls to restrict administrative console access to trusted IP addresses/VPNs only; disable or restrict the Panel Designer dashboard if not actively used; implement web application firewall (WAF) rules to block JSP file uploads to the wizard/workspace.jsp endpoint; monitor file upload logs for suspicious .jsp file submissions. 4) POST-REMEDIATION: Audit administrator accounts for unauthorized access; review audit logs for suspicious file uploads or command execution during the vulnerable period; verify no malicious JSP files remain on the system. Consult official Airleader security advisories and patch release notes for version-specific remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today