Airleader: Security Vulnerabilities
The Panel Designer dashboard in Airleader Master and Easy before 6.36 allows remote attackers to execute arbitrary commands via a wizard/workspace.jsp unrestricted file upload. To exploit this, the attacker must login to the administrator console (default credentials are weak and easily guessable) and upload a JSP file via the Panel Designer dashboard.
CVSS Score
7.2
EPSS Score
0.004
Published
2025-06-10
Airleader Master and Easy <= 6.21 devices have default credentials that can be used for a denial of service.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-11-16
Airleader Master <= 6.21 devices have default credentials that can be used to access the exposed Tomcat Manager for deployment of a new .war file, with resultant remote code execution.
CVSS Score
9.8
EPSS Score
0.011
Published
2020-11-16