CVE-2025-22961 Information

Description

A critical information disclosure vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT VAXT transmitters due to Incorrect Access Control (CWE-284). Unauthenticated attackers can directly access sensitive database backup files (snapshot_users.db) via publicly exposed URLs (/logs/devcfg/snapshot/ and /logs/devcfg/user/). Exploiting this vulnerability allows retrieval of sensitive user data including login credentials potentially leading to full system compromise.

Reference

https://github.com/shiky8/my–cve-vulnerability-research/tree/main/CVE-2025-22961