CVE-2025-22962
Published: 13 February 2025
Summary
CVE-2025-22962 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Secure configuration settings directly mitigate the vulnerability by disabling debugging mode in the web management interface, preventing the /json endpoint from being exploitable.
Information input validation comprehensively addresses the command injection (CWE-77) in specially crafted POST requests to the /json endpoint.
Least functionality ensures non-essential debugging capabilities are disabled, eliminating the conditions that enable arbitrary command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection RCE in web management interface directly enables T1190 (exploiting public-facing app) and T1059.004 (arbitrary Unix shell command execution on device).
NVD Description
A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the…
more
/json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover.
Deeper analysisAI
A critical remote code execution (RCE) vulnerability, identified as CVE-2025-22962 and published on 2025-02-13, affects the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters when debugging mode is enabled. The issue, linked to CWE-77 (Command Injection), allows an attacker with a valid session ID (sess_id) to send specially crafted POST requests to the /json endpoint, resulting in arbitrary command execution on the underlying system. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high impact across confidentiality, integrity, and availability.
Exploitation requires an attacker to possess a valid session ID, implying prior authentication with high privileges (PR:H). Once obtained, the attacker can remotely execute arbitrary commands over the network with low complexity and no user interaction, leading to full system compromise. This includes unauthorized access to the device, privilege escalation, and potential full device takeover.
Advisories and further technical details, including proof-of-concept information, are available in the referenced GitHub repository at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-22962. No specific patch or mitigation guidance is detailed in the primary CVE description.
Details
- CWE(s)