GatesAir Maxiva UAXT and VAXT Transmitter Remote Code Execution Vulnerability

A critical remote code execution vulnerability has been identified in the web-based management interface of GatesAir Maxiva UAXT and VAXT transmitters, specifically when debugging mode is enabled. This vulnerability allows an attacker with a valid session ID to send specially crafted POST requests to the '/json' endpoint, executing arbitrary commands on the underlying system. The exploitation of this vulnerability could lead to full system compromise, including unauthorized access, privilege escalation, and complete device takeover.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the affected system, potentially leading to full system compromise and administrative access.

Reproduction

To reproduce this vulnerability, access the web-based management interface of a GatesAir Maxiva UAXT or VAXT transmitter with debugging mode enabled. Once in the interface, use a valid session ID to send POST requests to the '/json' endpoint, including the 'cmd' parameter with the desired command execution request. The server will execute the command on the underlying system, demonstrating the remote code execution vulnerability.

Remediation

To address this vulnerability, GatesAir should restrict access to debugging features and administrative endpoints, implement stronger authentication and session management, properly sanitize user inputs and commands, disable debugging mode in production environments, and conduct a comprehensive security audit of the management interface and backend system.