OTPulse
FeedAboutContact

Airleader Master

Act Now9.8ICS-CERT ICSA-26-043-10Feb 12, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

CWE-434 arbitrary file upload vulnerability in Airleader Master versions 6.381 and earlier allows remote code execution without authentication. Successful exploitation could give an attacker the ability to run arbitrary commands on the master controller device.

What this means
What could happen
An attacker with network access to an unpatched Airleader Master could execute arbitrary code on the device, potentially allowing them to alter setpoints, stop operations, or manipulate building automation system logic.
Who's at risk
Building automation operators and facility managers using Airleader Master systems for HVAC, lighting, or energy management control should treat this as critical—the master controller is a central point that could affect entire facility operations if compromised.
How it could be exploited
An attacker sends a malicious file or request to the Airleader Master over the network. The device fails to properly validate the input, allowing arbitrary code to be executed with the privileges of the Airleader Master process.
Prerequisites
  • Network access to Airleader Master on its listening port
  • No authentication required
Remotely exploitableNo authentication requiredLow complexity attackCritical severity (CVSS 9.8)Allows code execution
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Airleader Master: <=6.381≤ 6.3816.386
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Airleader Master to version 6.386 or later
HARDENINGContact Airleader support for mitigation assistance and upgrade planning
Long-term hardening
0/1
HARDENINGImplement network segmentation to restrict access to Airleader Master from untrusted networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/dd693183-c39e-4856-93aa-7b83f10d0c8b
Airleader Master | CVSS 9.8 - OTPulse