CVE-2025-22962

HIGH

GatesAir Maxiva UAXT/VAXT - RCE

Title source: llm

Description

A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the /json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover.

References (1)

Core 1

Core References

Various Sources

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-22962

View Writeup ZIP pw:eip

Scores

CVSS v3 7.2

EPSS 0.0112

EPSS Percentile 78.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-77

Status published

Published Feb 13, 2025

Tracked Since Feb 18, 2026