Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 Cross-Site Request Forgery

Advisories

severity: medium
date: January 7, 2026
Affecting: Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063, 4.20.232, 4.11.606, 3.22.1818, 3.10.1633, 2.62.782, 1.00.395
CVE: CVE-2019-25259
CWE: CWE-352 Cross-Site Request Forgery (CSRF)
CVSS: 5.1
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References: Zero Science Lab Vulnerability Advisory
Exploit Database Entry 46090
Packet Storm Security Exploit File
IBM X-Force Vulnerability Exchange Entry
Leica Geosystems Vendor Homepage
Credit: LiquidWorm as Gjoko Krstic of Zero Science Lab
Description: Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without request validation. Attackers can trick logged-in users into executing unauthorized actions by crafting malicious web pages that submit requests to the application.