Critical Airleader Master Flaw Allows Unauthenticated RCE: Patch Immediately

A critical security vulnerability has been identified in Airleader Master, a compressed air management system widely deployed across critical infrastructure sectors. Tracked as CVE-2026-1358, this flaw carries a CVSS v3.1 base score of 9.8 (Critical) and permits unauthenticated remote code execution (RCE) on susceptible servers.

Given the ubiquity of Airleader Master in sectors such as Chemical, Energy, Healthcare, and Water and Wastewater, this vulnerability represents a significant risk to operational technology (OT) environments worldwide. Security Arsenal urges organizations to identify affected assets immediately and apply the vendor patch.

Vulnerability Deep Dive

At its core, CVE-2026-1358 is an Unrestricted Upload of File with Dangerous Type (CWE-434). This vulnerability affects Airleader Master versions 6.381 and prior.

Technical Breakdown

The vulnerability resides in the web interface of the Airleader Master application. The application fails to properly validate file extensions or content types uploaded to multiple web pages. Crucially, these upload functionalities operate with maximum system privileges.

Attack Vector

An attacker does not require valid credentials to exploit this flaw. The attack vector is network-based (AV:N) with low attack complexity (AC:L) and no privileges required (PR:N).

1. Identification: The attacker scans for Airleader Master interfaces exposed to the network (often inadvertently exposed via port forwarding or VPNs).
2. Upload: The attacker sends a specially crafted HTTP POST request containing a malicious file (e.g., a web shell, script, or binary) to the vulnerable endpoint.
3. Execution: Because the server processes the upload without restriction and runs with high privileges, the attacker can trigger the execution of this malicious code.
4. Compromise: Successful execution grants the attacker full control over the underlying operating system, allowing them to disrupt compressed air processes, move laterally to other ICS components, or deploy ransomware.

Detection and Threat Hunting

Security teams must assume that active scanning for this vulnerability is already underway. Below are detection logic queries and scripts to help identify potentially malicious activity or vulnerable assets.

KQL Queries for Sentinel/Defender

Use the following KQL query to hunt for suspicious file upload attempts targeting web servers that may be hosting Airleader Master. We look for POST requests to common upload paths with anomalous file extensions.

let SuspiciousExtensions = dynamic([".php", ".asp", ".aspx", ".jsp", ".exe", ".sh", ".dll"]);
DeviceNetworkEvents
| where RemotePort in (80, 443, 8080) // Common web ports, adjust if Airleader uses non-standard ports
| where RequestMethod == "POST"
| where FileName has_any (SuspiciousExtensions)
| project Timestamp, DeviceName, InitiatingProcessAccount, RemoteIP, RemoteUrl, FileName, InitiatingProcessSHA256
| extend IoCFlag = "Potential Web Shell Upload"


To identify potentially vulnerable versions of the software running on your network, you can query process information if the software version is exposed in the process metadata or logs (this depends on specific EDR integration):

DeviceProcessEvents
| where ProcessName contains "Airleader" or FolderPath contains "Airleader"
| project Timestamp, DeviceName, ProcessVersion, ProcessCommandLine
| summarize by DeviceName, ProcessVersion
| where ProcessVersion <= "6.381" or ProcessVersion == "Unknown"

PowerShell Script for Asset Validation

If you have administrative access to the servers running Airleader Master, you can use the following PowerShell snippet to check the file version of the main executable to determine if it is vulnerable. Note: You may need to adjust the path based on your specific installation directory.

# Check Airleader Master Version
$installPath = "C:\Program Files (x86)\Airleader" # Default path, verify in your environment
$targetExe = "AirleaderMaster.exe"
$fullPath = Join-Path -Path $installPath -ChildPath $targetExe

if (Test-Path $fullPath) {
    $fileInfo = Get-Item $fullPath
    $version = $fileInfo.VersionInfo.FileVersion
    Write-Host "Detected Airleader Master Version: $version" -ForegroundColor Cyan
    
    # Simple version comparison logic (Handle versions like 6.381)
    # Vulnerable if <= 6.381
    if ([version]$version -le [version]"6.381") {
        Write-Host "[ALERT] This version is VULNERABLE to CVE-2026-1358." -ForegroundColor Red
    } else {
        Write-Host "[INFO] This version appears to be patched." -ForegroundColor Green
    }
} else {
    Write-Host "Airleader Master executable not found at $installPath. Please verify the installation path." -ForegroundColor Yellow
}

Mitigation and Remediation

Airleader GmbH has released a fix to address this vulnerability. Security Arsenal strongly recommends the following actions:

1. Update Immediately: Upgrade Airleader Master to version 6.386 or later. This is the only guaranteed way to remove the vulnerability.
2. Network Segmentation: If immediate patching is not possible, ensure that Airleader Master devices are not accessible from the internet. Place control system networks and devices behind firewalls and isolate them from the business network.
3. Secure Remote Access: If remote access is required, utilize secure methods such as VPNs. Ensure that the VPN software itself is up-to-date. Remember that a VPN is only as secure as the devices connected to it.
4. Contact Vendor: Reach out to Airleader via email or their web form for specific mitigation assistance if you cannot upgrade immediately.

Executive Takeaways

• Severity is Maximum: A CVSS score of 9.8 means this is trivial to exploit and devastating to the integrity of the system.
• No Authentication Required: Attackers do not need to steal credentials first; they simply need network access to the web interface.
• OT Impact: Compressed air is a utility required in manufacturing. Disruption here can halt production lines, impacting revenue and safety.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub