CVE-2025-46612

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-46612
The Panel Designer dashboard in Airleader Master and Easy before 6.36 allows remote attackers to execute arbitrary commands via a wizard/workspace.jsp unrestricted file upload. To exploit this, the attacker must login to the administrator console (default credentials are weak and easily guessable) and upload a JSP file via the Panel Designer dashboard.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-036.txt Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

AND
cpe:2.3:o:airleader:easy_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:airleader:easy:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:o:airleader:master_ii\+_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:airleader:master_ii\+:-:*:*:*:*:*:*:*
History

16 Oct 2025, 20:57

Type Values Removed Values Added
CPE cpe:2.3:h:airleader:master_ii\+:-:*:*:*:*:*:*:*
cpe:2.3:o:airleader:easy_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:airleader:easy:-:*:*:*:*:*:*:*
cpe:2.3:o:airleader:master_ii\+_firmware:*:*:*:*:*:*:*:*
References () https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-036.txt - () https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-036.txt - Exploit, Third Party Advisory
First Time Airleader master Ii\+
Airleader easy Firmware
Airleader easy
Airleader master Ii\+ Firmware
Airleader

12 Jun 2025, 16:06

Type Values Removed Values Added
Summary
  • (es) El panel del Diseñador de Paneles en Airleader Master y Easy (versión anterior a la 6.36) permite a atacantes remotos ejecutar comandos arbitrarios mediante la carga sin restricciones de archivos en el archivo wizard/workspace.jsp. Para aprovechar esta ventaja, el atacante debe iniciar sesión en la consola de administrador (las credenciales predeterminadas son débiles y fáciles de adivinar) y cargar un archivo JSP a través del panel del Diseñador de Paneles.

10 Jun 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-10 15:15

Updated : 2025-10-16 20:57

NVD link : CVE-2025-46612

Mitre link : CVE-2025-46612

CVE.ORG link : CVE-2025-46612

JSON object : View

Products Affected

airleader

  • easy_firmware
  • master_ii\+_firmware
  • master_ii\+
  • easy
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type