CVE-2025-63212 is a session hijacking vulnerability found in GatesAir Flexiva-LX broadcast devices, specifically models LX100, LX300, LX600, and LX1000 running firmware versions 1.0.13 and 2.0. The root cause is the exposure of sensitive session identifiers (session IDs or sids) within a publicly accessible log file located at /log/Flexiva%20LX.log. This log file can be accessed without authentication, allowing an attacker to retrieve valid session tokens. The vulnerability arises when an administrator closes their browser window without explicitly logging out, leaving the session active and the session ID valid. An attacker who obtains this session ID can hijack the admin session, gaining unauthorized access to the device's management interface. This access can lead to unauthorized configuration changes, disruption of broadcast services, or further lateral movement within the network. The attack requires no authentication or user interaction beyond the prior session state, making it relatively easy to exploit if the log file is accessible. Although no public exploits are reported yet, the exposure of session IDs in a public log file represents a critical security flaw. The lack of a CVSS score indicates this is a newly published vulnerability, and no patches or mitigations have been officially released. The vulnerability affects critical broadcast infrastructure devices, which are often deployed in European media organizations, making it a significant operational risk.

For European organizations, particularly broadcasters and media companies using GatesAir Flexiva-LX devices, this vulnerability poses a serious threat to operational continuity and security. Unauthorized session hijacking can lead to full administrative control over broadcast equipment, enabling attackers to disrupt transmissions, alter broadcast content, or disable services. This could result in reputational damage, regulatory penalties, and financial losses. The exposure of session IDs in publicly accessible logs increases the attack surface, especially in environments where network segmentation or access controls are insufficient. Given the critical role of broadcast infrastructure in information dissemination, exploitation could also have broader societal impacts, including misinformation or loss of emergency communication capabilities. The ease of exploitation without authentication or user interaction further elevates the risk. European organizations with remote or web-based management of these devices are particularly vulnerable if access controls to logs are lax or if administrators habitually close browsers without logging out.

1. Immediately restrict access to the /log directory and specifically to the Flexiva LX.log file by implementing strict access controls at the network and device levels, ensuring only authorized personnel can access logs. 2. Enforce strict session management policies on the devices, including automatic session expiration and invalidation upon browser closure or after a short inactivity timeout. 3. Educate administrators to always log out explicitly from the management interface instead of closing the browser window to prevent session persistence. 4. Monitor access logs for unusual or unauthorized retrieval of log files or session identifiers. 5. Implement network segmentation to isolate broadcast management interfaces from general user networks and the internet. 6. Contact GatesAir for firmware updates or patches addressing this vulnerability and plan for prompt deployment once available. 7. Consider deploying web application firewalls or reverse proxies that can filter unauthorized access to sensitive files. 8. Regularly audit device configurations and logs to detect potential exploitation attempts.