CVE-2025-63212
Severity CVSS v4.0:
Pending analysis
Type:
CWE-200
Information Leak / Disclosure
Publication date:
19/11/2025
Last modified:
15/01/2026
Description
GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out.
Impact
Base Score 3.x
6.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:gatesair:flexiva_lx100_firmware:1.0.13:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gatesair:flexiva_lx100_firmware:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gatesair:flexiva_lx100:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gatesair:flexiva_lx300_firmware:1.0.13:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gatesair:flexiva_lx300_firmware:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gatesair:flexiva_lx300:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gatesair:flexiva_lx600_firmware:1.0.13:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gatesair:flexiva_lx600_firmware:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gatesair:flexiva_lx600:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gatesair:flexiva_lx1000_firmware:1.0.13:*:*:*:*:*:*:* | ||
| cpe:2.3:o:gatesair:flexiva_lx1000_firmware:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:h:gatesair:flexiva_lx1000:-:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page