Airleader Master contains a critical unrestricted file upload vulnerability that allows unauthenticated attackers to achieve remote code execution with maximum system privileges.

The software fails to restrict file uploads on multiple webpages that operate with maximum system privileges. This flaw allows an unauthenticated remote attacker to upload malicious scripts (such as web shells) and execute them directly on the server.

The ability for an unauthenticated user to execute code with maximum privileges poses a catastrophic risk to the organization. Given the CVSS score of 9.8, this vulnerability could lead to a total takeover of the Airleader Master server, resulting in significant operational downtime, data theft, and potential physical infrastructure risks if the software controls critical systems.

Immediate Action: Update all Airleader Master installations to the latest version immediately to implement necessary file validation and authentication checks.

Proactive Monitoring: Inspect web server directories for unauthorized or suspicious file types (e.g., .php, .asp, .exe) and review access logs for unusual POST requests to administrative pages.

Compensating Controls: Deploy a Web Application Firewall (WAF) to block unauthorized file upload attempts and enforce strict "least privilege" permissions on the web server directories to prevent script execution.

Public Exploit Available: No

Due to the lack of authentication required and the high privileges associated with the vulnerable pages, this flaw represents a severe security gap. It is imperative that administrators apply the latest security updates immediately to prevent unauthenticated attackers from compromising the server.