Security Advisory

CVE-2025-22961

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-02-13 00:00:00
Last updated 2025-03-12 18:56:37
Assigner mitre
State PUBLISHED

Description

A critical information disclosure vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT, VAXT transmitters due to Incorrect Access Control (CWE-284). Unauthenticated attackers can directly access sensitive database backup files (snapshot_users.db) via publicly exposed URLs (/logs/devcfg/snapshot/ and /logs/devcfg/user/). Exploiting this vulnerability allows retrieval of sensitive user data, including login credentials, potentially leading to full system compromise.