Vulnerability Details CVE-2025-63212
GatesAir Flexiva-LX devices on firmware 1.0.13 and 2.0, including models LX100, LX300, LX600, and LX1000, expose sensitive session identifiers (sid) in the publicly accessible log file located at /log/Flexiva%20LX.log. An unauthenticated attacker can retrieve valid session IDs and hijack sessions without providing any credentials. This attack requires the legitimate user (admin) to have previously closed the browser window without logging out.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 24.0%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2025-63212
-
cpe:2.3:h:gatesair:flexiva_lx1000:-
-
cpe:2.3:h:gatesair:flexiva_lx100:-
-
cpe:2.3:h:gatesair:flexiva_lx300:-
-
cpe:2.3:h:gatesair:flexiva_lx600:-
-
cpe:2.3:o:gatesair:flexiva_lx1000_firmware:1.0.13
-
cpe:2.3:o:gatesair:flexiva_lx1000_firmware:2.0
-
cpe:2.3:o:gatesair:flexiva_lx100_firmware:1.0.13
-
cpe:2.3:o:gatesair:flexiva_lx100_firmware:2.0
-
cpe:2.3:o:gatesair:flexiva_lx300_firmware:1.0.13
-
cpe:2.3:o:gatesair:flexiva_lx300_firmware:2.0
-
cpe:2.3:o:gatesair:flexiva_lx600_firmware:1.0.13
-
cpe:2.3:o:gatesair:flexiva_lx600_firmware:2.0