Cyber Resilience

CVE-2025-22962

HighRCE

Published: 13 February 2025

Published
13 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0112 78.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22962 is a high-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 21.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

A critical remote code execution vulnerability affects the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters when debugging mode is enabled. The flaw, tracked as CVE-2025-22962 and assigned CWE-77, resides in the /json endpoint and permits an authenticated attacker to execute arbitrary commands on the underlying system through specially crafted POST requests that include a valid session ID.

An attacker who obtains a valid sess_id can exploit the issue over the network to achieve full system compromise. Successful exploitation grants unauthorized access, privilege escalation, and potential device takeover, consistent with the CVSS 7.2 rating that reflects high impact across confidentiality, integrity, and availability under conditions of high privileges and low attack complexity.

The sole reference is a public GitHub repository containing researcher analysis of the vulnerability; no vendor advisory, patch information, or mitigation guidance is provided in the available data. The associated EPSS score remains low and unchanged at 0.0112, with no indication of rising exploitation interest after disclosure.

EU & UK References

Vulnerability details

A critical remote code execution (RCE) vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters when debugging mode is enabled. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the…

more

/json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection RCE in web management interface directly enables T1190 (exploiting public-facing app) and T1059.004 (arbitrary Unix shell command execution on device).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4048Shared CWE-77
CVE-2026-31059Shared CWE-77
CVE-2026-22284Shared CWE-77
CVE-2024-39783Shared CWE-77
CVE-2024-57583Shared CWE-77
CVE-2026-46368Shared CWE-77
CVE-2024-39781Shared CWE-77
CVE-2024-39367Shared CWE-77
CVE-2026-3518Shared CWE-77
CVE-2024-57590Shared CWE-77

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Secure configuration settings directly mitigate the vulnerability by disabling debugging mode in the web management interface, preventing the /json endpoint from being exploitable.

prevent

Information input validation comprehensively addresses the command injection (CWE-77) in specially crafted POST requests to the /json endpoint.

prevent

Least functionality ensures non-essential debugging capabilities are disabled, eliminating the conditions that enable arbitrary command execution.

References