Summary: Security researcher Mohamed Shahat has disclosed three critical vulnerabilities in GatesAirβs Maxiva UAXT and VAXT transmitters, impacting various industries such as broadcasting and public safety. These vulnerabilities could lead to severe consequences including session hijacking, data breaches, and remote code execution, with proof-of-concept exploit code published for easy exploitation. Organizations are urged to implement immediate defensive measures to mitigate the risks associated with these vulnerabilities until patches are released.
Affected: GatesAir Maxiva UAXT and VAXT transmitters
Keypoints :
- CVE-2025-22960: Allows unauthenticated access to log files, enabling session hijacking.
- CVE-2025-22961: Grants direct access to sensitive database backups, risking a data breach.
- CVE-2025-22962: Enables remote code execution when debugging mode is enabled, leading to potential system takeover.
- Published proof-of-concept code increases the urgency for organizations to address these vulnerabilities.
- Advice includes restricting access to sensitive files, applying strict permissions, and disabling debugging mode.