CVE-2025-22961
📋 TL;DR
Unauthenticated attackers can access sensitive database backup files containing user credentials through exposed URLs in GatesAir Maxiva transmitters' web management interface. This affects all systems running vulnerable versions of UAXT and VAXT transmitters with the web interface enabled. Successful exploitation could lead to credential theft and full system compromise.
💻 Affected Systems
- GatesAir Maxiva UAXT
- GatesAir Maxiva VAXT
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to transmitter systems, potentially disrupting broadcast operations, modifying configurations, or using the system as a pivot point into broadcast networks.
Likely Case
Attackers steal user credentials and gain unauthorized access to the management interface, allowing configuration changes, data exfiltration, or service disruption.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated broadcast equipment without access to critical network segments.
🎯 Exploit Status
Exploitation requires only web browser or curl commands to access exposed URLs. No authentication or special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Contact GatesAir for latest firmware
Vendor Advisory: https://www.gatesair.com/support/security-advisories
Restart Required: Yes
Instructions:
1. Contact GatesAir support for latest firmware. 2. Backup current configuration. 3. Apply firmware update via web interface or local method. 4. Verify patch by testing exposed URLs return 404/403.
🔧 Temporary Workarounds
Block Access to Vulnerable URLs
allConfigure web server or firewall to block access to /logs/devcfg/snapshot/ and /logs/devcfg/user/ paths
# Example nginx config: location ~ ^/logs/devcfg/(snapshot|user)/ { deny all; }
# Example Apache: <LocationMatch "^/logs/devcfg/(snapshot|user)/"> Require all denied </LocationMatch>
Disable Web Interface
allTemporarily disable web-based management interface if not required
# Consult GatesAir documentation for disabling web interface
🧯 If You Can't Patch
- Implement strict network segmentation to isolate transmitter management interfaces from untrusted networks
- Implement IP-based access control lists to restrict management interface access to authorized administrative IPs only
🔍 How to Verify
Check if Vulnerable:
Attempt to access http://<transmitter-ip>/logs/devcfg/snapshot/snapshot_users.db and http://<transmitter-ip>/logs/devcfg/user/snapshot_users.db. If either returns a database file, system is vulnerable.Check Version:
Check firmware version via web interface at http://<transmitter-ip>/status or consult GatesAir documentationVerify Fix Applied:
After patching, attempt same URLs. Should receive 404 Not Found or 403 Forbidden error instead of database file.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /logs/devcfg/snapshot/ or /logs/devcfg/user/ paths
- Unusual database file downloads from transmitter IP
Network Indicators:
- GET requests to /logs/devcfg/snapshot/snapshot_users.db
- GET requests to /logs/devcfg/user/snapshot_users.db
- Database file transfers from transmitter management interface
SIEM Query:
source="web_server" AND (url="/logs/devcfg/snapshot/snapshot_users.db" OR url="/logs/devcfg/user/snapshot_users.db") AND response_code=200