CVE-2025-22962

A critical remote code execution (RCE) vulnerability, identified as CVE-2025-22962 and published on 2025-02-13, affects the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters when debugging mode is enabled. The issue, linked to CWE-77 (Command Injection), allows an attacker with a valid session ID (sess_id) to send specially crafted POST requests to the /json endpoint, resulting in arbitrary command execution on the underlying system. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high impact across confidentiality, integrity, and availability.

Exploitation requires an attacker to possess a valid session ID, implying prior authentication with high privileges (PR:H). Once obtained, the attacker can remotely execute arbitrary commands over the network with low complexity and no user interaction, leading to full system compromise. This includes unauthorized access to the device, privilege escalation, and potential full device takeover.

Advisories and further technical details, including proof-of-concept information, are available in the referenced GitHub repository at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-22962. No specific patch or mitigation guidance is detailed in the primary CVE description.