Security Vulnerabilities in GatesAir Maxiva Transmitters 
Multiple critical vulnerabilities have been identified in the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters. These vulnerabilities include remote code execution (RCE), information disclosure, and session hijacking, potentially leading to full system compromise. (February 13, 2025)
A critical remote code execution vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters when debugging mode is on. An attacker with a valid session ID (sess_id) can send specially crafted POST requests to the /json endpoint, enabling arbitrary command execution on the underlying system. This vulnerability can lead to full system compromise, including unauthorized access, privilege escalation, and potentially full device takeover.
: An attacker exploits this vulnerability by obtaining a valid session ID through other means (e.g., session hijacking) and then crafts a malicious POST request to the /json endpoint to execute arbitrary commands on the transmitter. This could allow the attacker to reconfigure the transmitter, inject malicious code, or exfiltrate sensitive data.
A critical information disclosure vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters due to Incorrect Access Control (CWE-284). Unauthenticated attackers can directly access sensitive database backup files (snapshot_users.db) via publicly exposed URLs (/logs/devcfg/snapshot/ and /logs/devcfg/user/). Exploiting this vulnerability allows retrieval of sensitive user data, including login credentials, potentially leading to full system compromise.
: An unauthenticated attacker discovers the publicly exposed URLs for the database backup files and downloads them. The attacker then extracts sensitive user data, including login credentials, from the backup files. This allows the attacker to gain unauthorized access to the transmitter's management interface and potentially compromise the entire system.
A session hijacking vulnerability exists in the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters. Unauthenticated attackers can access exposed log files (/logs/debug/xteLog*), potentially revealing sensitive session-related information such as session IDs (sess_id) and authentication success tokens (user_check_password OK). Exploiting this flaw could allow attackers to hijack active sessions, gain unauthorized access, and escalate privileges on affected devices.
: An unauthenticated attacker accesses the exposed log files and retrieves a valid session ID. The attacker then uses this session ID to impersonate the legitimate user and gain unauthorized access to the transmitter's management interface. This allows the attacker to perform actions as the legitimate user, potentially compromising the system.