CVE-2019-25259

The Leica Geosystems GR10, GR25, GR30, and GR50 GNSS reference station receivers running firmware versions 1.00.395 through 4.30.063 contain a cross-site request forgery (CSRF) vulnerability. The web interface performs certain administrative actions via HTTP requests without any validity checks, such as a CSRF token, to verify that the request was intentionally submitted by the logged-in user [1][3].

An attacker can exploit this vulnerability by crafting a malicious web page that, when visited by an authenticated user, submits forged HTTP requests to the device. The proof-of-concept code provided in the advisory demonstrates how an attacker can create a new administrative user by submitting a POST request to the config_UserManagementPostBackHelper.lsp endpoint with arbitrary credentials and roles [3]. The attack requires the user to be logged in to the GNSS receiver's web interface at the time of visiting the malicious page.

Successful exploitation allows an attacker to perform arbitrary administrative actions, including creating, modifying, or deleting user accounts, changing device configuration, and potentially gaining full control over the receiver. The impact is significant as these devices are often used in critical infrastructure and surveying applications where unauthorized access could lead to data manipulation or service disruption.

No official patch has been released by Leica Geosystems as of the publication date. Users are advised to restrict network access to the device's web interface, use strong passwords, and avoid browsing untrusted websites while logged into the device.