CVE-2025-22962
Published: 13 February 2025
Summary
CVE-2025-22962 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).
Deeper analysis
A critical remote code execution vulnerability affects the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters when debugging mode is enabled. The flaw, tracked as CVE-2025-22962 and assigned CWE-77, resides in the /json endpoint and permits an authenticated attacker to execute arbitrary commands on the underlying system through specially crafted POST requests that include a valid session ID.
An attacker who obtains a valid sess_id can exploit the issue over the network to achieve full system compromise. Successful exploitation grants unauthorized access, privilege escalation, and potential device takeover, consistent with the CVSS 7.2 rating that reflects high impact across confidentiality, integrity, and availability under conditions of high privileges and low attack complexity.
The sole reference is a public GitHub repository containing researcher analysis of the vulnerability; no vendor advisory, patch information, or mitigation guidance is provided in the available data. The associated EPSS score remains low and unchanged at 0.0112, with no indication of rising exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3056
Vulnerability details
A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the…
more
/json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection RCE in web management interface directly enables T1190 (exploiting public-facing app) and T1059.004 (arbitrary Unix shell command execution on device).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Secure configuration settings directly mitigate the vulnerability by disabling debugging mode in the web management interface, preventing the /json endpoint from being exploitable.
Information input validation comprehensively addresses the command injection (CWE-77) in specially crafted POST requests to the /json endpoint.
Least functionality ensures non-essential debugging capabilities are disabled, eliminating the conditions that enable arbitrary command execution.