CVE-2025-22962 Information

Description

A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the /json endpoint enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise including unauthorized access privilege escalation and potentially full device takeover.

Reference

https://github.com/shiky8/my–cve-vulnerability-research/tree/main/CVE-2025-22962