CVE-2025-22962

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-22962
A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the /json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover.

7.2 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-22962
Configurations

No configuration.

History

15 Apr 2026, 00:35

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad crítica de ejecución remota de código (RCE) en la interfaz de administración basada en web de los transmisores GatesAir Maxiva UAXT y VAXT cuando está habilitado el modo de depuración. Un atacante con un ID de sesión válido (sess_id) puede enviar solicitudes POST especialmente manipuladas al endpoint /json, lo que permite la ejecución arbitraria de comandos en el sistema subyacente. Esta vulnerabilidad puede provocar un compromiso total del sistema, incluido el acceso no autorizado, la escalada de privilegios y, potencialmente, la toma de control total del dispositivo.

14 Feb 2025, 16:15

Type Values Removed Values Added
CWE CWE-77
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.2

13 Feb 2025, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-13 23:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-22962

Mitre link : CVE-2025-22962

CVE.ORG link : CVE-2025-22962

JSON object : View

Products Affected

No product.

CWE
CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')