CVE-2025-63212
📋 TL;DR
GatesAir Flexiva-LX devices expose session IDs in publicly accessible log files, allowing unauthenticated attackers to hijack admin sessions. This affects all models (LX100, LX300, LX600, LX1000) running firmware 1.0.13 or 2.0. Attackers can gain administrative access without credentials if an admin previously closed their browser without logging out.
💻 Affected Systems
- GatesAir Flexiva-LX100
- GatesAir Flexiva-LX300
- GatesAir Flexiva-LX600
- GatesAir Flexiva-LX1000
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full administrative compromise of broadcast equipment leading to service disruption, configuration changes, or unauthorized access to connected systems.
Likely Case
Unauthorized administrative access to the device allowing configuration changes, firmware manipulation, or service disruption.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to the device.
🎯 Exploit Status
Exploitation requires reading the log file and using extracted session IDs. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.gatesair.com/
Restart Required: No
Instructions:
Check GatesAir website for security advisories and firmware updates. No official patch confirmed at this time.
🔧 Temporary Workarounds
Restrict Log File Access
allConfigure web server to block access to /log/Flexiva%20LX.log file
# Add to web server configuration to deny access to log directory
location /log/ { deny all; }
Implement Session Timeout
allConfigure device to automatically invalidate sessions after browser closure
# Configuration depends on device web interface settings
# Set session timeout to immediate on browser close
🧯 If You Can't Patch
- Isolate devices on separate VLAN with strict firewall rules blocking external access
- Implement mandatory logout procedures and train administrators to always log out properly
🔍 How to Verify
Check if Vulnerable:
Access http://device-ip/log/Flexiva%20LX.log and check if session IDs (sid parameters) are visible in the log file.Check Version:
Check device web interface or console for firmware version informationVerify Fix Applied:
Attempt to access the log file URL and verify it returns 403/404 error or contains no session IDs.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login with previously used session ID
- Unauthorized access to /log/Flexiva%20LX.log file
Network Indicators:
- Unusual HTTP requests to log file path from unauthorized IP addresses
- Session ID reuse from different source IPs
SIEM Query:
source="web_server" AND (uri="/log/Flexiva%20LX.log" OR (status=200 AND uri CONTAINS "sid="))