Security Vulnerability Report
中文
CVE-2025-63212 CVSS 6.5 MEDIUM

CVE-2025-63212

Published: 2025-11-19 20:15:53
Last Modified: 2026-01-15 18:31:03
Source: [email protected]

Description

GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:gatesair:flexiva_lx100_firmware:1.0.13:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:gatesair:flexiva_lx100_firmware:2.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:gatesair:flexiva_lx100:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:gatesair:flexiva_lx300_firmware:1.0.13:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:gatesair:flexiva_lx300_firmware:2.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:gatesair:flexiva_lx300:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:gatesair:flexiva_lx600_firmware:1.0.13:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:gatesair:flexiva_lx600_firmware:2.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:gatesair:flexiva_lx600:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:o:gatesair:flexiva_lx1000_firmware:1.0.13:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:gatesair:flexiva_lx1000_firmware:2.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:gatesair:flexiva_lx1000:-:*:*:*:*:*:*:* - NOT VULNERABLE
Flexiva-LX firmware 1.0.13
Flexiva-LX firmware 2.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
GET /log/Flexiva%20LX.log HTTP/1.1 Host: target.com

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63212", "sourceIdentifier": "[email protected]", "published": "2025-11-19T20:15:53.380", "lastModified": "2026-01-15T18:31:02.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:gatesair:flexiva_lx100_firmware:1.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "FAE101C6-1663-4A58-B9A7-41BAFD0B2BA1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:gatesair:flexiva_lx100_firmware:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "4F5CE624-254C-472E-8D1D-1C3463281CA0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:gatesair:flexiva_lx100:-:*:*:*:*:*:*:*", "matchCriteriaId": "4F1D8D39-E16E-440C-AC90-8060CB2C0EB4"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:gatesair:flexiva_lx300_firmware:1.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "2D1F6D30-F5D0-4D5A-890D-F9BBCBBB3C45"}, {"vulnerable": true, "criteria": "cpe:2.3:o:gatesair:flexiva_lx300_firmware:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "5A53C617-AA10-46A9-B596-3CBC5D4760D5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:gatesair:flexiva_lx300:-:*:*:*:*:*:*:*", "matchCriteriaId": "9A57C780-A6FD-4C47-A7CC-3F5F09B92B16"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:gatesair:flexiva_lx600_firmware:1.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "67C103A0-68B1-449B-95AA-12B8467A6588"}, {"vulnerable": true, "criteria": "cpe:2.3:o:gatesair:flexiva_lx600_firmware:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C78DD920-FF73-4575-AE89-AF6608857C25"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:gatesair:flexiva_lx600:-:*:*:*:*:*:*:*", "matchCriteriaId": "4EAAF4DB-9F0D-4401-9560-1C463274EB9C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:gatesair:flexiva_lx1000_firmware:1.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "EEA61DCA-EAAC-4C60-9070-8AAFF7F2B821"}, {"vulnerable": true, "criteria": "cpe:2.3:o:gatesair:flexiva_lx1000_firmware:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B168C928-7586-4AB9-95FB-5D759350AD6F"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:gatesair:flexiva_lx1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "7882D4C9-E3F8-40B9-BDFC-0216066E7907"}]}]}], "references": [{"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63212%20_GatesAir%20Flexiva-LX%20Series%20_%20Session%20Hijacking", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.gatesair.com/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.